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SPECIFICATION 



TO ALL WHOM IT MAY CONCERN: 

BE IT KNOWN THAT WE, Masayuki Terada, a 
citizen of Japan residing at Yokosuka-shi , Kanagawa- 
ken, Japan, Ko Fujimura, a citizen of Japan residing 
at Yokohama -shi, Kanagawa-ken, Japan, Hiroshi Kuno, a 
citizen of Japan residing at Yokohama- shi , Kanagawa- 
ken, Japan and Masayuki Hanadate, a citizen of Japan 
residing at Yokohama-shi , Kanagawa-ken, Japan have 
invented certain new and useful improvements in 

ORIGINAL DATA CIRCULATION METHOD, SYSTEM, 
APPARATUS, AND COMPUTER READABLE MEDIUM 

of which the following is a specification:- 



TTTT.E OF THE INVENTION 

ORIGINAL DATA CIRCULATION METHOD, 
APPARATUS, AND COMPUTER READABLE MEDIUM 



RACKGRQUND OF THE INVENTION 

1 . Field of the Invention 

The present invention generally relates to 
an original data circulation method, system 
apparatus, and computer readable medium. More 
particularly, the present invention relates to 
providing technologies for storing and distributing 
data such as a digital ticket which represents a 
digital right, digital contents and the like, in 
which the number of valid reproductions of such data 
needs to be smaller than a defined number. 

2. Description of the Related Art 
Reproductions of data or a digital ticket 

which represents a digital right exceeding the 
number which the data distributor intends should be 
prevented. That is, distributed data that is 
reproduced by a user illegally should be prevented. 

Conventionally, such multiple use is 
prevented by technologies described in the following. 

A first method is that transfer histories 
of the original data are attached to the data and 
they are used to check whether the data is already 
used or not at the time of request for exercising 
the right. If the right is already used up, the 
service provider (or collector) of the data refuses 
accepting the right represented by the data. 

A second method is to store the data in a 
tamper-proof device such that the data cannot be 
accessed except via the tamper-proof device. When 
the data is used up, the data is deleted from the 
tamper-proof device. 

According to the above-mentioned first 
method, a special device such as the tamper-proof 



device is not necessary. However, a problem comes 
up when the data is circulated. More specifically, 
validity of the data can be checked only when the 
right is exercised according to the first method. 
Therefore, there is a problem that the validity of 
the data can not be judged while the data is 
circulating . 

According to the above-mentioned second 
method, uniqueness of the data can be protected by 
using the tamper-proof device. In addition, methods 
which are described in Japanese patent application 
No. 6-503913 or Japanese laid-open patent application 
No. 9-511350 can be used together with the above- 
mentioned second method, in which a plurality of 
tamper-proof devices are connected via secure 
communication routes which are protected by 
cryptography. The data is exchanged via the 
communication routes such that the data can be 
circulated while preventing reproduction of the data. 
However, the technology has the following two 
problems since the data needs to be stored in the 
tamper-proof device. 

First, it becomes impossible to view the 
description of the data. Therefore, there is a 
constraint that all checks such as a check of the 
validity period of the description should be left to 
the tamper-proof device. 

In addition, since the tamper-proof device 
should not only have a storing part of the data but 
also carry out all processing necessary for handling 
the data, a large storage capacity and a high 
processing throughput are required for the tamper- 
proof device. Especially, an IC card which is 
generally used for the tamper-proof device does not 
have enough storage capacity or processing 
throughput . 



SUMMARY OF THE INVENTION 

It is an object of the present invention 
to provide an original data circulation method, a 
system, an apparatus and a computer readable medium 
in which it is ensured that the number of valid 
reproductions of data is maintained below a 
specified number. In addition, the tamper-proof 
device does not necessarily perform all 
verifications other than the verification on 
reproducing such that processing load such as 
processing throughput or memory capacity can be 
decreased. 

The above object of the present invention 
is achieved by an original data circulation system 
for storing or circulating original data which is 
digital information, the system comprising: 

an apparatus including: means for 
generating first information corresponding to an 
issuer apparatus for issuing data; means for sending 
the first information; and means for sending second 
information corresponding to the data; and 

an apparatus including: means for 
verifying validity of the first information which is 
received; means for verifying that an issuing 
apparatus corresponding to valid first information 
is valid; and means for determining that data 
corresponding to the second information is valid 
when the issuer apparatus is valid. 

The first information may be, for example, 
after-mentioned H(Pkl) or the like. The second 
information may be a hash value of data or a hash 
value of data with a signature. The issuer 
apparatus is determined to be valid, for example, 
when the source apparatus of the first information 
and an apparatus corresponding to the first 
information are the same. Since a tamper-proof 
apparatus and the like performs an authentication 



process using the first information, the above- 
mentioned problem is solved and the processing load 
can be decreased. 

The above object of the present invention 
is also achieved by a data storing method of storing 
digital information which has a value, comprising 
the steps of : 

generating third information which is 
digital information with a signature signed by an 
issuer apparatus for the digital information; 

generating, by the issuer apparatus, 
fourth information, the fourth information being a 
manifest corresponding to the digital information; 

verifying, by an user apparatus, identity 
of the issuer apparatus by using the third 
information and the fourth information; and 

preventing reproduction of the digital 
information . 

The fourth information may be, for example, 
a hash value of the data with the signature. The 
hash value is the manifest which corresponds to 
originality information. The originality 
information is information which represents 
genuineness of the right of data. In other words, 
the originality information represents the 
authenticity or originality of data. 

According to the above-mentioned invention, 
data and the signature of the data are stored and a 
manifest which is information in one-to-one 
correspondence with the data and the signature. In 
addition, the signer who generates the signature is 
identified and it is verified that the signer is the 
same as the party which intends to store the 
manifest. Thus, the number of manifests which the 
signer intends are stored in the data storing system. 

The data storing method may further 
comprise the steps of : 



verifying identity of the issuer apparatus 
by storing the fourth information in a tamper-proof 
device; and 

preventing reproduction of the digital 
information . 

Accordingly, the data can be stored in an 
apparatus other than the data storing system since 
the tamper-proof device is used. 

The above object of the present invention 
is also achieved by a data storing system for 
storing digital information which has a value, 
comprising : 

an issuer apparatus for generating third 
Information which is digital information with a 
signature and generating the fourth information 
which is a manifest corresponding to the digital 
information; and 

a user apparatus for verifying identity of 
the issuer apparatus by using the third information 
and the fourth information; and 

preventing reproduction of the digital 
information . 

The above object of the present invention 
is also achieved by a user apparatus for using 
digital information in a data storing system for 
storing digital information which has a value, 
comprising : 

first storing means for storing and 
extracting digital information with a signature; 

second storing means for storing and 
extracting a manifest corresponding to digital 
information ; 

first authentication means for verifying 
that the manifest is valid; and 

first control means for storing the 
manifest in the second storing means only when the 
first authentication means verifies that the 



manifest is valid. 

Accordingly, by determining that the data 
is valid only when the manifest corresponding to the 
data is stored in the data storing system, having 
valid data exceeding the number of manifests that 
exist can be avoided. 

The above object of the present invention 
is also achieved by an issuer apparatus for issuing 
digital information in a data storing system for 
storing digital information which has a value, the 
issuer apparatus comprising: 

accredited information generation means 
for generating accredited information which includes 
a set of information representing an accredited 
object trusted by the signer of the digital 
information; 

signature means for providing a signature 
to the digital information and to the accredited 
information ; 

manifest generation means for generating 
the manifest; 

means for sending the digital information 
and the accredited information to a user apparatus; 

means for receiving session information 
which includes a verification key of the user 
apparatus and a serial number; and 

means for sending information including 
the manifest and the session information by using a 
verification key and a signature function of the 
issuer apparatus. 

Accordingly, there is an accredited object 
trusted by the signer of the data and a signature 
signed by the issuer apparatus. It is verified that 
the signer of the manifest is included in the 
accredited objects or in the signers trusted by the 
accredited object. In addition, it is verified that 
the signer of the accredited information and the 
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signer of the data are the same. Accordingly, the 
manifest can be transmitted only via a route trusted 
by the signer of the data. At the time, the tamper- 
proof capability Is assured by using the tamper- 
5 proof apparatus. 

The above object of the present invention 
is also achieved by a collector apparatus for 
exercising a right of digital information in a data 
storing system for storing digital information which 
10 has a value, the collector apparatus comprising: 
means for receiving digital information 
with a signature of the issuer and accredited 
information with the signature from a user 
apparatus ; 

15 means for generating session information 

which has uniqueness in the data storing system and 
sending the session Information to the user 
apparatus ; 

means for receiving information including 

20 the manifest and the session information from the 
user apparatus; and 

means for verifying that the session 
Information, the manifest and the accredited 
information are valid. 

25 Accordingly, by generating and storing the 

session information, it becomes possible to avoid 
the manifest being stored in a plurality of storing 
parts without using an encrypted route. In addition, 
it becomes possible to send a plurality of manifests 

30 to a storing part in parallel. 

The above-mentioned inventions will be 
described in the first embodiment in detail. In 
addition, the following inventions will be described 
in the second embodiment in detail. 

35 The above object of the present invention 

is also achieved by an original data circulation 
method in an original data circulation system for 



storing or circulating original data which is 
digital information, the method comprising: 

a sending step of sending, by a first 
apparatus, originality information, the originality 
information including fifth information which 
corresponds to an apparatus and sixth information 
which is data or information corresponding to the 
data; and 

an identifying step of identifying, by a 
second apparatus, the source apparatus of the 
originality information; 

a first authentication step of determining 
that the originally information is valid when the 
source apparatus is authenticated; and 

a second authentication step of 
determining that the originality information is 
valid only when the source apparatus and an 
apparatus corresponding to the fifth information of 
the originality information are the same. 

The above object of the present invention 
is also achieved by an original data circulation 
system for storing or circulating original data 
which is digital information, the system comprising: 

a first apparatus which includes sending 
means for sending originality information, the 
originality information including fifth information 
which corresponds to an apparatus and sixth 
information which is data or information 
corresponding to the data; and 

a second apparatus which includes: 

identifying means for identifying a source 
apparatus of the originality information; 

a first authentication means for 
determining that the originally information is valid 
when the source apparatus is authenticated; and 

a second authentication means for 
determining the originality information is valid 



only when the source apparatus and an apparatus 
corresponding to the fifth information of the 
originality information are the same. 

The above-mentioned originality 
information will be called token in the second 
embodiment. The fifth information may be, for 
example, a hash value of a verification key (public 
key) of an apparatus. The sixth information may be, 
for example, a hash value of the data. According to 
the above-mentioned invention, since the second 
authentication means determines that the originality 
information is valid only when the source apparatus 
and an apparatus corresponding to the first 
information are the same, the conventional problem 
can be solved. In addition, since it is not 
necessary to circulate the signature, the processing 
load can be further decreased. 

The above object of the present Invention 
is also achieved by an issuer apparatus in an 
original data circulation system for storing or 
circulating original data which is digital 
information, the issuer apparatus comprising: 

originality information generation means 
for generating originality information which 
includes fifth information corresponding to the 
issuer apparatus and sixth information corresponding 
to data or information corresponding to the data; 
and 

originality information sending means for 
sending the originality information. 

The above object of the present invention 
is also achieved by a user apparatus in an original 
data circulation system for storing or circulating 
original data which is digital information, the user 
apparatus comprising: 

originality information sending means for 
sending originality information which includes fifth 



Information corresponding an apparatus and sixth 
information corresponding to data or information 
corresponding to the data; 

identifying means for identifying a source 
apparatus of the originality information which is 
sent from an apparatus; 

authentication means for determining that 
the originality information is valid when the source 
apparatus is authenticated or when the apparatus 
corresponding to the fifth information and the 
source apparatus are the same; and 

storing means for storing the originality 
information when the authentication means determines 
that the originality information is valid. 

The above object of the present invention 
is also achieved by a collector apparatus in an 
original data circulation system for storing or 
circulating original data which is digital 
information, the collector apparatus comprising: 

identifying means for identifying a source 
apparatus of originality information; 

authentication means for authenticating 
the source apparatus; and 

data processing means for performing a 
process corresponding to the data or data 
corresponding to the sixth information when the 
authentication means determines that the originality 
information which is sent to the collector apparatus 
is valid. 

In the present invention, since accredited 
information which represents a trusted third party 
may be used, the originality information can be 
circulated between trusted parties. 

The above object of the present invention 
is also achieved by an original data circulation 
system for storing or circulating original data 
which is digital information, the original data 



circulation system comprising: 

an issuer apparatus including: 
first originality information generation 
means for generating originality information which 
includes fifth information corresponding to the 
issuer apparatus and sixth information corresponding 
to data or information corresponding to the data; 
and 

first originality information sending 
means for sending the originality information; 

a user apparatus including: 

first originality information sending 
means for sending originality information which 
includes fifth information corresponding to an 
apparatus and sixth information corresponding to 
data or information corresponding to the data; 

first identifying means for identifying a 
source apparatus of the originality information 
which is sent from an apparatus; 

first authentication means for determining 
that the originality information is valid when the 
source apparatus is authenticated or when the 
apparatus corresponding to the fifth information and 
the source apparatus is the same; and 

storing means for storing the originality 
information when the first authentication means 
determines that the originality information is 
valid; and 

a collector apparatus including: 

sixth identifying means for identifying a 
source apparatus of originality information; 

sixth authentication means for 
authenticating the source apparatus; and 

data processing means for performing a 
process corresponding to the data or data 
corresponding to the sixth information when the 
second authentication means determines that the 
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originality information which is sent to the 
collector apparatus is valid. 

Accordingly, it becomes possible to issue 
a ticket, transfer the ticket, consume and present 
5 the ticket in the above apparatuses. 

RRTKF DESCR TPTTON OF THE DRAWING S 

Other objects, features and advantages of 
the present invention will become more apparent from 
10 the following detailed description when read in 
conjunction with the accompanying drawings, in 
which: 

Fig.l is a diagram for describing a 
principle according to a first embodiment of the 
15 present invention; 

Fig. 2 is a block diagram of a data storing 
system according to the first embodiment of the 
present invention; 

Fig. 3 is a block diagram of an issuer 
20 apparatus of the data storing system according to 
the first embodiment of the present invention; 

Fig. 4 is a block diagram of a user 
apparatus of the data storing system according to 
the first embodiment of the present invention; 
25 Fig. 5 is a block diagram of a collector 

apparatus of the data storing system according to 
the first embodiment of the present invention; 

Fig, 6 is a block diagram of a connection 
apparatus of the data storing system according to 
30 the first embodiment of the present invention; 

Fig. 7 is a sequence chart showing a ticket 
issuing process in the data storing system according 
to the first embodiment of the present invention; 

Fig. 8 is a sequence chart showing a ticket 
35 transferring process in the data storing system 
according to the first embodiment of the present 
invention; 



Fig. 9 is a sequence chart showing a ticket 
transferring process in the data storing system 
according to the first embodiment of the present 
invention; 

Fig. 10 is a sequence chart showing a 
ticket consuming process in the data storing system 
according to the first embodiment of the present 
invention; 

Fig. 11 is a diagram for describing a 
principle according to a second embodiment of the 
present invention; 

Figs.l2A and 12B are block diagrams of a 
data storing system in an original data circulation 
system according to the second embodiment of the 
present invention; 

Fig. 13 is a block diagram of an issuer 
apparatus of the original data circulation system 
according to the second embodiment of the present 
invention; 

Fig. 14 is a block diagram of a user 
apparatus of the original data circulation system 
according to the second embodiment of the present 
invention; 

Fig. 15 is a block diagram of a collector 
apparatus of the original data circulation system 
according to the second embodiment of the present 
invention ; 

Fig. 16 is a block diagram of a connection 
apparatus of the original data circulation system 
according to the second embodiment of the present 
invention ; 

Fig. 17 is a sequence chart showing a 
ticket issuing process in the original data 
circulation system according to the second 
embodiment of the present invention; 

Fig. 18 is a sequence chart showing a 
ticket transferring process in the original data 



circulation system according to the second 
embodiment of the present invention; 

Fig. 19 is a sequence chart showing a 
ticket transferring process in the original data 
circulation system according to the second 
embodiment of the present Invention; 

Fig. 20 is a sequence chart showing a 
ticket consuming process in the original data 
circulation system according to the second 
embodiment of the present invention; 

Fig. 21 is a block diagram showing a 
configuration of a computer. 

DETAILED nF.SGRIPTION OF THE PREFERRED EMBO DIMENTS 
(First Embodiment) 

First, a data storing system as an 
original data circulation system of the present 
invention will be described. 

Fig.l is a diagram for describing a 
principle of the present invention. In the data 
storing system of the present invention, an issuer 
apparatus of digital information generates first 
information by adding a digital signature to the 
digital information in step 1. The issuer apparatus 
generates second information which is a manifest 
corresponding to the digital information and adds 
the second information to the first information in 
step 2. A user apparatus checks the identity of the 
issuer apparatus by using the first information and 
the second information such that the unauthorized 
reproduction of the digital information can be 
prevented in step 3. 

In the first embodiment, a digital ticket 
that is a digital representation of a right to claim 
services or goods, are used as an example of digital 
information to be circulated. 

Fig. 2 shows a block diagram of the data 



storing system. As shown in the figure, an issuer 
issues a digital ticket. Then, the user transfers 
the digital ticket to another user. When a user who 
receives the digital ticket uses the digital ticket, 
a verifier verifies validity of the digital ticket. 

In the figure, the issuer of the digital 
ticket has an issuer apparatus 1 and the user who 
receives the digital ticket has a user apparatus 2. 
When issuing a digital ticket, a communication 
channel between the issuer apparatus 1 and the user 
apparatus 2 is established via a connection 
apparatus 4. The communication channel may exist 
only during the period from the issuing start time 
to the issuing end time. 

When transferring the digital ticket, a 
communication channel Is established between the 
user apparatuses 2 via the communication apparatus 4 
in the same way as when issuing the digital ticket. 
Then, the digital ticket is transferred between the 
user apparatuses 2. A collector of the digital 
tickets has a collector apparatus 3. When 
collecting the digital tickets, a communication 
channel is established between the user apparatus 2 
and the collector apparatus 3 via the communication 
apparatus 4 in the same way as when issuing the 
digital ticket. Then, the digital ticket is sent to 
the collector apparatus 3. 

As mentioned above, the data storing 
system of the present invention includes one or a 
plurality of issuer apparatuses, one or a plurality 
of user apparatuses 2 and one or a plurality of 
collector apparatuses 3 which apparatuses are 
connected by connection apparatuses 4 which provide 
temporal communication channels. 

In the following, each of the apparatuses 
which are included in the data storing system will 
be described. Before the description, meanings of 
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formulas which will be used for the description will 
be described. 

X !l y means concatenation of x and y. H means a 
unidirectional hash function. The hash function has 
the property that determining x from y which 
satisfies y=H(x) is difficult. MD5 of RSA is known 
as a hash function. 

Spj^ is a signature function which 
generates a digital signature which can be verified 
by a verification function Vp^. The verification 
function Vp^ has the property of Vp},(x II Sp„(x) ) =1 , Vp^(x 
II other )=0 (other^ Sp„{x) ) . That is, the 
verification function Vpj, can verify that information 
X has a signature signed by the signature function 
Spk- In addition, the verification function Vp^ can 
verify that the digital signature Sp],(x) is a 
correct signature signed by Sp^^ for x. 

Pk is a verification key and has the 
property that Vp,, can be formed by providing the 
verification key Pk to a verifier V. Especially, a 
verification key Pk2 II Sp^x ( Pk2 ) is called as a key 
certificate of Pk2 by Pkl . 

ESIGN of Nippon Telegraph and Telephone 
Corporation is known as a digital signature method 
which realizes the above-mentioned Sp,^ and Vp,^. 

Fig. 3 shows an issuer apparatus according 
to an embodiment of the present invention. 

The issuer apparatus 1 shown in the figure 
includes a control part 11, a signature part 12, a 
data generation part 13. a manifest generation part 
14 and an accredited information generation part 15. 

The control part 11 has a verification key 
Pkl and controls the issuer apparatus 1 to circulate 
a digital ticket securely. Pkl is a verification 
key corresponding to a signature function Spj.^ 
provided in the signature part 12. A detailed 
description on the control part 11 will be given 



later . 

The signature part 12 includes the 
signature function Sp^i . Each issuer apparatus has 
a different signature function Sp^^ . The signature 
function Sp^j- is concealed by the signature part 12. 

The data generation part 13 generates data 
m on the basis of information generated in the 
issuer apparatus 1 or information given from the 
outside. According to the data storing system of 
the present invention, there is no restriction for 
the contents of the data m. Therefore, digital 
information representing rights of general tickets 
such as a concert ticket, program data, music data 
and image data can be used as the data m. 

In addition, m can be formed as relation 
to other data or as data including relation to other 
data by obtaining HCmJ in which m,, is provided from 
the outside. Accordingly, data amount sent to an 
after-mentioned tamper-proof device 28 can be 
decreased when issuing a digital ticket. 

The manifest generation part 14 has the 
unidirectional hash function H and generates a 
manifest C(„, p^i,=H(m 11 Sp^^Cm) ) of data with a 
signature m II Sp^i (m) . 

The accredited information generation part 
15 generates accredited information t=(ti, t^) . In 
the accredited information t=(ti, t^) , ti = PkI, t,, = 
{H(PkCi), HCPkCj, H(PkCJ}. Here, Pkl is a 

verification key held by the control part 11, and 
PkCi is a verification key for verifying a signature 
signed by an after-mentioned third party which is 
"trusted" by the issuer. 

Fig. 4 is a user apparatus 2 according to 
an embodiment of the present invention. The user 
apparatus 2 includes a control part 21, a storing 
part 22 and the tamper-proof device 28 which has a 
control part 23, an authentication part 24, a 



signature part 25, a number generation part 26 and a 
storing part 27. The tamper-proof device 28 
protects functions and contents of the parts from 
tampering. Even the user of the tamper-proof device 
28 can not tamper with the tamper-proof device 28. 
An IC card or a server which is stringently managed 
by a third party via a network can be used as the 
tamper-proof device 28. 

The control part 21 and the control part 
23 in the tamper-proof device 28 control the user 
apparatus 2 for circulating a digital ticket 
securely. The detailed description of the control 
part 21 will be described later. 

The storing part 22 stores a set M„ of 
data with a signature which is held by the user and 
a set T„ of accredited information with a signature 
signed by an issuer. The sets can be updated by the 
control part 21. 

The control part 23 has verification keys 
PkU and PkC, and a key certificate PkU II Sp„c(PkU) . 
Here, the verification key PkU corresponds to Sp^u in 
the signature part 25. S^^^ Is a signature function 
concealed by a third party which assures security of 
the tamper-proof device 28. The third party may be 
an IC card manufacturer, a tamper-proof server 
administrator or the like. That is, tamper-proof 
capability of the tamper-proof device 28 which 
includes the signature function Spj,u is assured by 
the third party which has the signature function Sp,^c- 
A detailed description of the control part 23 will 
be given later. PkC is a verification key of Sp^c- 

A storing part 22 of another user 
apparatus and/or a storing part 34 of an after- 
mentioned collector apparatus 3 can be used with the 
storing part 22 or instead of the storing part 22. 
In such a case, since data m and after-mentioned 
accredited information (t^, t^, tj) can be shared by 



the user apparatuses and the collector apparatuses, 
the data m and the accredited information (t^, t^, 
tg) are not necessarily sent between the apparatuses. 

The authentication part 24 includes a 
verifier V. The signature part 25 includes the 
signature function Spj,„. Each of the user 
apparatuses have different Sp^o- S^^^ is concealed by 
the signature part 25. 

The number generation part 26 stores a 
next number r^. When the number generation part 26 
is required to issue a number, the number generation 
part 26 issues a current number and increments r^. 

The storing part 27 stores a set of 
manifests C^^{c^, o^. ... . c^} and a set of numbers 
Ru={ri, rj, .... r^}. These sets can be updated by the 
control part 21. 

Fig. 5 is a block diagram of the collector 
apparatus 3 according to an embodiment of the 
present invention. The collector apparatus 3 
includes a control part 31, an authentication part 
32, a number generation part 33 and a storing part 
34 . 

The control part 31 has a verification key 
PkV and controls the collector apparatus 3 for 
circulating the digital ticket securely. The 
detailed description of the operation of the control 
part 31 will be given later. 

The authentication part 32 includes a 
verifier V. 

The number generation part 33 stores a 
next number r^. When the number generation part 3 3 
is required to issue a number, the number generation 
part 33 issues a current number r^ and increments r^. 

The storing part 34 stores a set of 
numbers R^=iT^, r^, r^} . The set can be updated 

by the control part 31. 

Fig. 6 is a block diagram of the connection 
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apparatus 4 according to an embodiment of the 
present invention. 

The connection apparatus 4 includes a 
communication part 41. The communication part 41 
provides a temporal or permanent communication 
channel between the issuer apparatus 1, the user 
apparatus 2 and the collector apparatus 3, or 
between the user apparatuses. A terminal with an IC 
card slot at a kiosk, a plurality of PCs which are 
connected via network or the like can be used as the 
connection apparatus 4 . 

A method for circulating the digital 
ticket securely by using the above-mentioned 
apparatuses will be described in the following. 

Basic concepts of the circulation method 
are shown below. 

- The digital ticket is represented by 
data with a signature by an issuer m 11 Sp^i (m) . 
Contents of a right which is given to an owner of 
the digital ticket by the issuer are described in m. 
Otherwise, m includes a relation to data in which 
contents of the right are described. 

- Tampering with the digital ticket can be 
prevented by using the signature function Sp„i of the 
issuer of the digital ticket. 

- Reproduction of the digital ticket is 
not prohibited. 

- A manifest c^^, p^i, can be generated from 
the digital ticket. The manifest is substantially 
in a one-to-one correspondence with the digital 
ticket . 

- The manifest becomes valid by being 
stored in the storing part 27 of the tamper-proof 
device 28 trusted by the issuer. 

- The tamper-proof device trusted by the 
issuer is a device in which the tamper-proof 
capability is insured by a party trusted by the 



Issuer. The party trusted by the issuer is defined 
by an accredited information t^. 

- A valid manifest can be newly generated 
only by the issuer of the corresponding digital 
ticket . 

- It is prohibited to generate one or a 
plurality of valid manifests from a valid manifest. 
That is, the user is prohibited from generating a 
manifest of a digital ticket which is signed by 
others . 

In the following, the circulation method 
of a digital ticket will be described for each of 
the cases of (1) Issuing a digital ticket, (2) 
Transferring a digital ticket and (3) Consuming a 
digital ticket. In the following description, 
communication between the apparatuses is carried out 
via the communication part 41 of the connection 
apparatus 4. 

(1) Issuing a digital ticket 

The process for issuing a digital ticket 
from the issuer apparatus 1 to the user apparatus 2 
via the connection apparatus 4 is shown below. 
Fig. 7 is a sequence chart of the process according 
to an embodiment of the present invention. 

Step 101) The control part 11 obtains m 
and Sp3,r (m) according to the following procedure to 
generate a digital ticket m 11 Sp„i (m) which is data 
with a signature. 

(a) The data generation part 13 generates data 

m. 

(b) m is given to the signature part 12 such 
that the signature part 12 generates Sp^^i (m) . 

Step 102) The control part 11 provides the 
digital ticket m II Sp„i (m) to the manifest generation 
part 14 such that the manifest generation part 14 
generates a manifest c^^_ pj^u . 

Step 103) The control part 11 obtains 
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accredlted information t and a signature function 
Spki (t) according to the following procedure and 
generates accredited information with a signature t 
11 Sp^, (t) . 

5 (a) The accredited information generation part 

15 generates the accredited information t. The 
configuration of t was described before. 

(b) The accredited information t is provided 
to the signature part 12 such that the signature 
10 part 12 generates the signature Spy,^ (t). 

Step 104) The control part 11 sends the 
digital ticket m 11 Sp^^ (m) and the accredited 
information with a signature t II Sp„3- (t) to the 
control part 21. 
15 In step 101, when m which is generated by 

the data generation part 13 is a relation to other 
data, for example, m=H(mo ), or when m Includes the 
relation, the related data {m^ ) is sent as 
necessary, which Is the same as the cases of after- 
20 mentioned transferring and consuming. 

Step 105) The control part 21 of the user 
apparatus 2 adds the digital ticket m II Sp^i (m) in the 
set Mu, adds the accredited information with the 
signature t II Sp„i (t) in the set T,, and stores them in 
25 the storing part 22. 

When data related to m is sent, the 
relation is verified. If the verification fails, 
the process is interrupted and the issuer apparatus 
is notified of it. This is the same as in the case 
30 of after-mentioned transferring and consuming. 

Step 106) The control part 21 requests to 
generate session Information (s^, S2) to the control 
part 23. 

The control part 23 generates the session 
35 information (s^, sj according to the following 
procedure and sends it to the control part 21. 

(a) The control part 23 obtains a number 
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generated by the number generation part 26. 

(b) The number r^ is added to a number set 
in the storing part 27. 

(c) The session information (s^, 83 ) = ( H ( PkU ) , 
r„) is generated. Here, PkU is a verification key 
held by the control part 21, 

Step 107) The control part 21 sends the 
session information (s^, sj to the control part 11. 

Step 108) The control part 11 obtains a 
manifest issuing format ej={ej_. e^, e^, e^, e^) by 
using Sp„i in the signature part 12 and the 
verification key Pkl retained by the control part 11, 
Each element in ej. is shown below. 
ei = C(„, pki, 

©2=31 

©3 = 62 

e4 = Spi,i(C(„. pki) II 11 S2 ) 
e5=PkI 

Step 109) The control part 11 sends the 
manifest issuing format e,- to the control part 21. 

Step 110) The control part 21 sends the 
digital ticket m II Sp^^ {m) and the manifest issuing 
format e^ to the control part 23 and requests to 
store the manifest in e-j . 

Step 111) The control part 23 verifies 
that following conditions are satisfied by using the 
authentication part 24. If the verification fails, 
the process after that is interrupted and the 
control part 23 notifies the control part 11 of the 
process interruption via the control part 21. 

e2=H(PkU) (1) 

e,^R^ (2) 

VesCm II Sp^i (m) )=1 (3) 

V^sCeJI e^ II e3 11 eJ =1 (4) 

e, = H(m II Spj,i (m) ) (5) 

The above-mentioned formulas (1) and (2) 
mean verification of validity of the session 
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Inforraation. According to the verification, fraud 
can be prevented. Such fraud may be, for example, 
storing a manifest issuing format destined to other 
user apparatus 2 or reproducing a manifest by 
reusing the manifest issuing format. The formulas 
(3) and (4) means verification of validity of the 
signature of the manifest issuing format. According 
to the verification, the occurrence of a manifest 
other than one which is included in the manifest 
Issuing format and which has a signature signed by 
the issuer is stored can be prevented. The formula 
(5) means verification of correspondence between the 
manifest and the digital ticket. According to the 
verification, the occurrence of a manifest which 
does not correspond to the digital ticket, such as 
one corresponding to other digital ticket, can be 
prevented . 

Step 112) The control part 23 deletes 63 
{=ru ) from the number set in the storing part 27. 

Step 113) The control part 23 adds e^ (=C(^, 
p,,!) ) to a manifest set Coin the storing part 27. 

Step 114) The control part 23 sends e^ to 
the control part 21 to notify of a normal end. 

(2) Transferring a digital ticket 

The digital ticket transferring process 
from the user apparatus 2a to the user apparatus 2b 
via the connection apparatus 4 will be described in 
the following. 

Fig. 8 and Fig. 9 are sequence charts 
showing the digital ticket transferring process 
according to an embodiment of the present invention. 

Step 201) The control part 21a extracts 
the digital ticket m II Sp^^ (m) which is an object to 
be transferred from a set of data with a 
signature retained by the storing part 22a. 

Step 202) The control part 21a extracts 
the accredited information t II Sp^^ (t) with a 
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slgnature by the issuer of m II Sp„i (m) from 
included in the storing part 22a. 

Step 203) The control part 21a sends mil 
Sp,,! (m) and t II Sp^i (t) to the control part 21b. 

Step 204) The control part 21b stores mil 
Sp„i (m) in a set M^^ of data with the signature in 
the storing part 22b and stores t II Sp,,! (t) in an 
accredited information set in the storing part 

22b. 

Step 205) The control part 21b requests 
the control part 23b to generate session information 
(Si, sj. 

The control part 23b generates the session 
information (s^, sj according to the following 
procedure and sends it to the control part 21b. 

(a) The control part 23 obtains a number r^^ 
generated by the number generation part 26b. 

(b) The number r^b is added to a number set R^b 
in the storing part 27b. 

(c) The session information (s^, S2 ) = ( H ( PkUb ) , 
r^jb ) is generated. Here, PkUb is a verification key 
held by the control part 21b. 

Step 206) The control part 21b sends the 
session information (s^, sj to the control part 21a. 

Step 207) The control part 21a sends (s^, 
S2) and a hash value HCmllSp^i (m) ) of the digital 
ticket to be transferred to the control part 23a. 

Step 208) The control part 23a verifies 
that following formula is satisfied for a set of 
manifest C^^ of manifests which is stored in the 
storing part 27a. 

H{m II Sp,,! (m) ) ec„, (6) 

When the verification fails, the process 
after that is interrupted and the control part 21a 
is notified of the failure. 

The above formula (6) means verification 
that the manifest C(„. pki) = H(m II Sp„i (m) ) which 
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corresponds to the digital ticket to be transferred 
is stored in the storing part 27a. 

Step 209) The control part 23a obtains a 
manifest sending format e^={e^, 63, e^, eg, e^ , e^) 

by using Spj,^^ which is included in the signature part 
25a and verification keys PkUa, PkCa, and a key 
certificate PkUa li Sp3,ca( P^Ua) which are included in 
the control part 11. Each element of e<, is shown 
below. 

®l~*-'(m. Pkl) 
63=82 

64= Sp,,„,(Cc„, pKi, II Si II S2 ) 

65= PkUa 

©6= Sp^ca (PkUa) 

e^= PkCa 

Step 210) The control part 23a deletes c^^, 
pj,,) from the set C^^ of manifest. 

Step 211) The control part 23a sends e^ to 
the control part 21a. 

Step 212) The control part 21a sends e^ to 
the control part 21b. The control part 21b verifies 
ei in the sent e^ whether ei=H (m II Sp,,i (m) ) is satisfied. 

Step 213) The control part 21b sends e^, t 
II SpKi (t) and mliSpki (m) to the control part 23b and 
requests to store the manifest in e^. 

Step 214) The control part 23b verifies 
that all formulas below are satisfied by using the 
an authentication part 24b, If the verification 
fails, the process is interrupted and the control 
part 21b is notified of the interruption. 

62= H(PkUb) (7) 

V,5(eJI ejl 63 II e,, 6^)=! (9) 
¥3,(63 II ee) =1 (10) 
H(e7)G tc (11) 
V„(m II Sp^, (m) ) = 1 (12) 
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V,,{t 11 S,^, (t))=l (13) 
The above formulas (7) and (8) mean 
verification of validity of the session information. 
Using the verification, fraud such as storing a 
manifest sending format on another user apparatus, 
reproducing a manifest by reusing the manifest 
sending format or the like is prevented. 

The formula (9) means verification for 
identifying the signer of the manifest sending 
format. The formula (10) means verification of the 
key certificate of the signer. The formula (11) 
means verification that the signer of the key 
certificate is trusted by the issuer as an 
accredited object in the accredited information. 
According to the above verification, it is verified 
that the tamper-proof capability of the source of 
the manifest sending format is assured by a party 
trusted by the issuer. 

The formulas (12) and (13) mean 
verification of validity of the signature signed on 
the accredited information. According to the 
verification, it is verified that the accredited 
information is properly signed by the signer of the 
digital ticket. 

Step 215) The control part 23b deletes 63 
(= r^jb) from the number set ±n the storing part 
27b. 

Step 216) The control part 23b adds 
p„i) ) to the manifest set C^^ in the storing 
part 2 7b. 

Step 217) The control part 23b notifies 
the control part 21b of the normal completion of the 
process . 

(3) Consuming the digital ticket 
The digital ticket consuming process from 
the user apparatus 2 to the collector apparatus 3 
via the connection apparatus 4 will be described in 



the following. 

Fig. 10 is a sequence chart of the ticket 
consuming process according to an embodiment of the 
present invention. 
5 Step 301) The control part 21 extracts a 

digital ticket m li Spj.^ (m) to be consumed from the 
signed data set M„ which is included in the storing 
part 22. 

Step 302) The control part 21 extracts the 
10 accredited information tllSpj,i(t) signed by the 
issuer of m II Sp„i (m) from the signed accredited 
information set T^ included in the storing part 22. 

Step 303) The control part 21 sends m II Sp„i 
(m) and t II Sp^^ (t) to the control part 31. 
15 Step 304) The control part 31 generates 

session information (s,, sj according to the 
following procedure. 

(a) The control part 23 obtains a number rv 
from the number generation part 33. 
2 0 (b) The number rv is added to a number set Ry 

in the storing part 34. 

(c) The session information {s^, S2)=(H(PkV), 
rv ) is generated. Here, PkV is a verification key 
held by the control part 31. 
25 Step 305) The control part 31 sends the 

session information (s^, s^) to the control part 21. 

Step 306) The control part 21 sends (s^, 
sj and a hash value H(mllSp3,i (m) ) of the digital 
ticket to be consumed to the control part 23. 
30 Step 307) The control part 23 verifies 

that a following formula is satisfied for a set of 
manifests C„ which is stored in the storing part 27. 
H(m II Spk, (m) ) ec„ (15) 

When the verification fails, the process 
35 after that is interrupted and the control part 21 is 
notified of the failure. 

The above formula (15) means verification 



that the manifest C(„, p,,i,=H(m II Sp^^ (m) ) which 
corresponds to the digital ticket to be consumed is 
stored In the storing part 27. 

Step 308) The control part 23 obtains a 
manifest sending format e„=(ei. ea, 63, e^. e^, e^, e^) 
by using the signature function Sp^„ which is 
included in the signature part 25 and verification 
keys PkU, PkC, and a key certificate PkU II Sp„c ( P^cU ) 
which are included in the control part 21. Each 
element of e^ is shown below. 

63 = 82 

64= Spj,u(C(„, pKi) II Si II S2 ) 

65= PkU 

&6= Spj,c (PkU) 

e,= PkC 

Step 309) The control part 23 deletes C(„, 
pj^i) from the manifest set Cu- 

Step 310) The control part 23 sends e^ to 
the control part 21. 

Step 311) The control part 21 sends e^ to 
the control part 31. 

Step 312) The control part 31 verifies 
that all formulas below are satisfied by using the 
authentication part 32. If the verification fails, 
the process is interrupted and the control part 21 
is notified of the interruption. 



H(PkV) 


(16) 


63 G Rv 


(17) 


Ve5{ei 1! 62 11 63 II 64, e5)= 1 


(18) 


V,,(eJleJ =1 


(19) 


R{e^) etc 


(20) 


V„(m II Sp,,! (m) ) = 1 


(21) 


v,,(t 1! Sp,, (t))=l 


(22) 



The above formulas (16) and (17) mean 
verification of validity of the session information. 
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Using the verification, fraud such as storing a 
manifest sending format on another collector 
apparatus, reproducing a manifest by reusing the 
manifest sending format or the like is prevented. 

The formula (18) means verification for 
identifying the signer of the manifest sending 
format. The formula (19) means verification of the 
key certificate of the signer. The formula (20) 
means verification that the signer of the key 
certificate is trusted by the issuer as an 
accredited object in the accredited Information. 
According to the above verification, it is verified 
that the tamper-proof capability of the source of 
the manifest sending format is assured by a party 
trusted by the issuer. 

The formulas (21) and (22) mean 
verification of the validity of the signature for 
the accredited information. According to the 
verification, it is verified that the accredited 
information is properly signed by the signer of the 
digital ticket. 

Step 313) The control part 31 deletes 

(= rv) from Ry in the storing part 34. 

Step 314) The control part 31 verifies 

that all formulas below are satisfied. If the 
verification fails, the control part 21 is notified 

of process interruption. If the verification 

succeeds, a service corresponding to m is provided 

to the consumer. 

= H(m II SpKi (m) ) (23) 
The above formula (23) means verification 

that a manifest corresponding to the consumed 

digital ticket has been sent. According to the 

verification, it is verified that a valid digital 

ticket has been consumed. 

Each element of the issuer apparatus 1, 

the user apparatus 2 or the collector apparatus 3 
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can be constructed by a program. The program can be 
stored in a disk unit connected to a computer which 
may be used as the issuer apparatus, the user 
apparatus or the collector apparatus. The program 
5 can be also stored in a transportable computer 

readable medium such as a floppy disk, a CD-ROM or 
the like. The program may be installed from the 
computer readable medium to a computer such that the 
present invention is realized by the computer. 
10 As mentioned above, according to the first 

embodiment of the present invention, since only 
manifests of the number which the signer intends to 
store are stored in the manifest storing part in the 
data storing system, the occurrence of a manifest 
15 newly stored by a person other than the signer can 

be prevented. In addition, it can be prevented that 
valid data exceeding the number of the manifests may 
exist. Further, it becomes possible that the 
manifests can be transmitted only via routes which 
20 are trusted by the signer. 

By using the digital ticket as data in the 
data storing system of the present invention, the 
number of valid reproductions of the digital ticket 
can be maintained at less than a constant number 
25 without storing the digital tickets in the tamper- 
proof device. 

In addition, by using a program as data of 
the present invention and by using the manifest as a 
license of the program, illegal copying and use of 
30 the program can be prevented. 

Further, by using music data or image data 
as data of the present invention, illegal copying 
and use of the music data or image data can be 
prevented. Furthermore, by "consuming" ((3) in the 
3 5 embodiment) the data each time when the data is used, 
the system of the present invention can be used for 
billing per use in a billing system (for example, a 
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pay per view billing system) . 

(Second Embodiment) 

In the following, a second embodiment of 
the present invention will be described. 

According to the above mentioned first 
embodiment, only data which represents originality 
(manifest) is stored in the tamper-proof apparatus 
and it is ensured that the number of valid 
reproductions of data is maintained below a pre-set 
constant number. Therefore, the tamper-proof device 
does not necessarily perform verifications other 
than the verification on reproducing. The 
verifications include a verification of validity of 
description. Thus, processing load such as 
processing speed and memory capacity can be 
decreased. The above-mentioned invention has 
remarkable effects in comparison with the 
conventional technology. However, there are two 
main problems described below as to the matter of 
practicality . 

First , when generating the data 
representing originality or authenticity or 
genuineness, it is necessary to send data and the 
signature to the tamper-proof device in order to 
verify the data and the signature. On the other 
hand, the transmitting speed of an IC card is about 
9600 bps (ISO-7816), which is relatively low. 
Therefore, when the size of the data is large, the 
time for generating the data representing 
originality may be remarkably increased. 

In addition, according to the above- 
mentioned first embodiment, the data representing 
originality is generated from data and the signature, 
and it is necessary to verify the data representing 
originality by using the data and the signature when 
consuming the data. Therefore, it becomes necessary 
to circulate not only the data but also the 
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signature. Therefore, the memory capacity necessary 
for the system and the processing time for 
circulation may be increased. 

In the second embodiment, an original data 
circulation system will be described. According to 
the system, the processing load for generating data 
representing originality (which will be called a 
token) and circulating the data is decreased. 

Fig. 11 is a block diagram for explaining 
the principle of the second embodiment of the 
present invention. 

The original data circulation for storing 
and circulating original data which is digital 
information includes an issuer apparatus 50, a user 
apparatus 60 and a collector apparatus 70. 

The issuer apparatus includes a first 
originality information generation part 51, and a 
first originality information sending part 52. The 
first originality information generation part 51 
generates originality information. The first 
originality information sending part 52 sends the 
originality information. Here, the originality 
information is information which represents 
genuineness of the right of issued data. In other 
words, the originality information represents the 
authenticity or originality of issued data. 

The user apparatus 60 includes a second 
originality information sending part 61, a first 
identifying part 62, a first authentication part 63 
and a storing part 64. 

The second originality information sending 
part 61 receives originality information which is 
formed by fifth information corresponding to an 
apparatus and by sixth information which is data or 
which corresponds to the data. The first 
identifying part 6 2 identifies a source apparatus of 
the originality information when the originality 
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information is received from another apparatus. 
When the source apparatus is authenticated, the 
first authentication part 63 determines that the 
originality information is valid only when the 
source apparatus and information corresponding to 
first information of the originality information are 
the same. The storing part 64 stores the 
originality information when the originality 
information is determined as valid by the first 
authentication part 63. 

The collector apparatus 70 includes a 
second identifying part 71, a second authentication 
part 72 and a data processing part 73. 

The second identifying part 71 identifies 
a source apparatus which sends originality 
information. The second authentication part 72 
authenticates the source apparatus. The data 
processing part 73 carries out processing for the 
originality information data or data corresponding 
to the second information. 

Figs.l2A and 12B show the configurations 
of the data storing system in the original data 
circulation system. 

In the figure, the issuer of the digital 
ticket has an issuer apparatus 100 and the user who 
receives the digital ticket has a user apparatus 200. 
When issuing a digital ticket, a communication 
channel between the issuer apparatus 100 and the 
user apparatus 200 is established via a connection 
apparatus 400. The issuer apparatus 100 sends the 
digital ticket which is validated in the issuer 
apparatus 100 to the user apparatus 200. 

The above-mentioned apparatuses can be 
configured as shown in Figs.l2A and 12B. Fig.l2A 
shows a representative configuration when an IC card 
is used for the user apparatus 200 and an IC card 
reader is used for the connection apparatus 400. 
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Fig.l2B shows a representative configuration when a 
tamper-proof device such as an IC card or a PC which 
is kept in a safe place is used as the user 
apparatus and a network is used for the connection 
5 apparatus 400. The configurations shown in Figs.l2A 
and 12B can be mixed. 

The above-mentioned communication channel 
may exist only during the period from the issuing 
start time to the issuing end time, which applies to 

10 the cases of "transferring", "consuming" and 
"presenting" . 

When transferring the digital ticket, a 
communication channel is established between the 
user apparatuses 200 via the communication apparatus 

15 400 in the same way as when issuing the digital 
ticket. Then, the digital ticket is transferred 
between the user apparatuses 200. 

A collector of the digital tickets has a 
collector apparatus 300. When consuming the digital 

20 tickets, a communication channel is established 
between the user apparatus 200 and the collector 
apparatus 300 via the communication apparatus 400 in 
the same way as when issuing the digital ticket. 
Then, a valid digital ticket is transferred to the 

25 collector apparatus 300. 

When presenting the digital tickets, a 
communication channel is established between the 
user apparatuses 200 or between the user apparatus 
200 and the collector apparatus 300 via the 

30 communication apparatus 400 such that the user 

apparatus 200 presents a certificate that the user 
apparatus 200 has a valid digital ticket to another 
user apparatus or to the collector apparatus 300. 

As mentioned above, the data storing 

35 system of the present invention includes one or a 
plurality of issuer apparatuses 100, one or a 
plurality of user apparatuses 200 and one or a 
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plurality of collector apparatuses 300 which 
apparatuses are connected by connection apparatuses 
400 which provide temporal communication channels. 

In the following, the embodiment of the 
5 present invention will be described with reference 
to figures. 

Each apparatus which forms the above- 
mentioned data storing system will be described by 
using Figs. 13-16. The meaning of formulas used for 
10 descriptions below are almost the same as those used 
in the first embodiment. Especially, a combination 
(Pk2, Sp„i(Pk2)) of a digital signature Spki(Pk2) of 
Pk2 by a verification key Pk2 and Spj^i is called as a 
key certificate of Pk2 by Pkl. H(Pk) is called as a 
15 hash value of Pk. 

Fig. 13 shows an issuer apparatus according 
to an embodiment of the present invention. 

The issuer apparatus 100 shown in the 
figure includes a control part 110, a signature part 
20 120, a data generation part 130, a token generation 
part 140 and an accredited information generation 
part 150. 

The control part 110 has a verification 
key Pkl and enables the issuer apparatus 100 to 

25 circulate a digital ticket securely. Pkl is a 
verification key corresponding to a signature 
function Spj^j- provided in the signature part 120. 
The hash value of it H(Pkl) is used as an identifier 
for identifying the issuer. A detailed description 

30 of the control part 110 will be given later. 

The signature part 120 includes a 
signature function Sp^i . Sp,,! is different for each 
issuer apparatus 100 and concealed by the signature 
part 120. 

35 The data generation part 130 generates 

data m on the basis of information generated in the 
issuer apparatus 100 or information given from 
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outside. According to the data storing system of 
the present invention, there is no restriction on 
the contents of the data m. Therefore, digital 
information representing rights of general tickets 
5 such as a concert ticket, program data, music data 
and image data can be used as the data m. 

The token generation part 140 has the 
unidirectional hash function H and generates a token 
(Ci, cj =(H(m), H(Pkl)) from data m and a 

10 verification key Pkl . C2 is token issuer 

information which is a hash value that identifies 
the issuer of the token. Hash of data m is used as 
Ci here; however, an identifier for identifying m 
can also be used as c^. 

15 The accredited information generation part 

150 generates accredited information (t^, t^, t^) . 
(tj, t2. tg) that can be formed as shown below by 
using the signature part 120. 

ti= {H(PkAj, H(PkAj H(PkA^)} 

20 t^= Sp,,i(H(PkAj II HCPkA^) II ... llH(PkA„)) 

t3= Pkl 

Here, H(PkAi) is a hash value for 
identifying an after-mentioned third party who is 
"trusted" by the issuer. 
25 The accredited information can also be 

formed (t'^, t'2, t'3, t'4) as shown below. 
t\= {H(PkAJ, HCPkA^), H(PkA„)} 
t '2=H(m) 

t '3 = Sp^,(H(PkAj |lH(PkA2) II ... llH(PkAj liH(m)) 
30 t'4=PkI 

In this case, H(PkA^) is a hash value for 
identifying a third party trusted by the issuer for 
circulating data m. 

In addition, a third party may issue 
35 accredited information such that the above-mentioned 
accredited information can be constructed 
recursively . 
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Further, the accredited Information may be 
stored beforehand in a control part of the tamper- 
proof device of the user apparatus or a control part 
of the collector apparatus instead of being 
5 generated by each issuer. In this case, the 
signature is not necessary and the accredited 
information can be constituted as (t'\ , t'^) or only 
t"i as shown below. 

t\= {H(PkAJ, H(PkA2), H(PkAj} 
10 t"2=H(m) 

In such a case. HCPkAj is a hash value 
for identifying a third party trusted by a third 
party which made the control part for circulating 
the data m. 

15 In the following, the accredited 

information is assumed as (t^, t-^, ta). However, any 
of the above-mentioned accredited information can be 
used . 

Fig. 14 is a user apparatus 200 according 

20 to an embodiment of the present invention. 

The user apparatus 200 includes a control 
part 210, a storing part 220 and the tamper-proof 
device 280 which has a control part 230, an 
authentication part 240, a signature part 250, a 

25 number generation part 260 and a storing part 270. 
The tamper-proof device 280 protects functions and 
contents of each part from tampering. Even the user 
of the tamper-proof device 280 can not tamper with 
the tamper-proof device 280. An IC card or a server 

30 which is stringently managed by a third party via a 
network can be used as the tamper-proof device 280. 
The control part 210 includes issuer 

information I„= {H(PkIJ . H{PkIJ H(PkIJ}. The 

control part 210 and the control part 230 in the 

35 tamper-proof device 280 control the user apparatus 
200 for circulating a digital ticket securely, 
is a set representing an issuer trusted by a user 
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and can be updated by the user at any time. The 
control part 210 determines that only the token 
Issued by an issuer Included in is valid. The 
detailed description of the control part 210 will be 
5 described later. 

In addition, 1^ can be realized as 
I„(mi )={H(PkIiJ , HCPkliJ, H{PkIi„)}. That is, 
sets of issuer information are managed from one data 
to another data. 

10 The storing part 220 stores a set M„ of 

data which is held by a user and a set T^ of 
accredited information. The sets can be updated by 
the control part 210. 

The control part 230 has verification keys 

15 PkU, PkA, and a key certificate (PkU, Sp„A(PkU)). 

The control part 230 controls the user apparatus for 
circulating the digital ticket securely. Here, the 
verification key PkU corresponds to S^^^ in the 
signature part 250. Hash data of it H(PkU) is used 

20 as an identifier for identifying the user apparatus. 
Sp],j^ is a signature function concealed by a third 
party which assures safety of the tamper-proof 
device 280. The third party may be an IC card 
manufacturer, a tamper-proof server administrator or 

25 the like. That is, tamper-proof capability of the 

tamper-proof device 280 which includes the signature 
function Spk„ is assured by the third party who has 
the signature function Sp,,^. A detailed description 
of the control part 230 will be given later. PkA is 

30 a verification key of Spj.^- 

The authentication part 240 includes a 
verifier V. 

The signature part 250 includes the 
signature function Sp3,„. Each of the user 

35 apparatuses have different Sp^^ . Sp5,„ is concealed by 
the signature part 250. 

The number generation part 260 stores a 
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next number r,,. When the number generation part 2 60 
is required to issue a number, the number generation 
part 260 issues a current number r^ and Increments r^. 
Here, r^ is a positive number. 
5 The storing part 270 stores a set of 

tokens and a set of numbers R,,. These sets can 
be updated by the control part 230. 

Fig. 15 is a block diagram of the collector 
apparatus according to an embodiment of the present 

10 invention. The collector apparatus 300 includes a 
control part 310, an authentication part 320, a 
number generation part 330 and a storing part 340. 

The control part 310 has a verification 
key PkE and issuer information 1^= {H(Pkli), H(Pkl2), 

15 H(PkI„)}, and controls the collector apparatus 

300 for circulating the digital ticket securely. 
is a set representing an issuer trusted by the 
collector and can be updated by the issuer at any 
time. The control part 310 determines that only the 

20 token issued by an issuer included in 1^ is valid 

and provides a service for consumption of only the 
digital ticket with the valid token. The detailed 
description of the operation of the control part 310 
will be given later. 

25 In addition, in the same way as 1^ in the 

control part 210, Ig can be realized as I^ 

(m^ )={H(PkIiJ , H(PkIi2) H(PkIi„)}. That is, sets 

of issuer information are managed from one data to 
another data. 

30 The authentication part 320 includes a 

verifier V. 

The number generation part 330 stores a 
next number r j. . When the number generation part 330 
is required to issue a number, the number generation 
35 part 330 issues a current number r^. and increments r^ . 
rj. is a positive number. 

The storing part 340 stores a set of 
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numbers . The set can be updated by the control 
part 310. 

Fig. 16 is a block diagram of the 
connection apparatus 400 according to an embodiment 
5 of the present invention. 

The connection apparatus 400 includes a 
communication part 410. The communication part 410 
provides a temporal or permanent communication 
channel between the issuer apparatus 100, the user 
10 apparatus 200 and the collector apparatus 300, or 

between the user apparatuses . A terminal with an IC 
card slot at a kiosk, a plurality of PCs which are 
connected via network or the like can be used as the 
connection apparatus 400. 
15 A method for circulating the digital 

ticket securely by using the above-mentioned 
apparatuses will be described in the following. 

In the following, the circulation method 
of a digital ticket will be described for each of 
20 the cases of (1) Issuing a digital ticket, (2) 

Transferring a digital ticket and (3) Consuming a 
digital ticket. In the following description, 
communication between the apparatuses is carried out 
via the communication part 410 in the connection 
25 apparatus 400. 

(1) Issuing a digital ticket 
Fig. 17 is a sequence chart of the process 
according to an embodiment of the present invention. 
In the figure, the connection apparatus 400 existing 
30 between the issuer apparatus 100 and the user 
apparatus 200 is not shown. 

Step 1101) The control part 110 of the 
issuer apparatus 100 obtains data m from the data 
generation part 130. The data m is the digital 
35 ticket describing right information. 

Step 1102) The control part 110 of the 
issuer apparatus 100 provides the data m and Pkl to 
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the token generation part 140 such that the token 
generation part 140 generates a token (0^, c^) 
=(H(m), H{PkI)). 

Step 1103) The control part 110 obtains 
5 accredited information (t^, tj, tj) from the 

accredited information generation part 150. The 
configuration of the accredited Information is shown 
before . 

Step 1104) The control part 110 sends m 
10 and (ti, t2, t3) to the control part 210 in the user 
apparatus 200. 

Step 1105) The control part 210 of the 
user apparatus 200 adds m in Mu of the storing part 
220, adds (t^, ts, ts) in T^ of the storing part 220 
15 and stores them in the storing part 220. 

Step 1106) The control part 210 requests 
control part 230 to generate session information (s^, 
sj . 

The control part 230 generates the session 
20 information { s^^ , S2) according to the following 
procedure and sends it to the control part 210. 

(a) The control part 230 obtains a number r^ 
generated by the number generation part 2 60 in the 
tamper-proof device 280. 
2 5 (b) The number r^ is added to a number set R„ 

in the storing part 270. 

(c) The session information (s^, S2)=(H(PkU), 
r^j) is generated. Here, PkU is a verification key 
held by the control part 210. 
30 Step 1107) The control part 210 sends the 

session information (s^, S2) to the control part 110 
of the issuer apparatus 100. 

Step 1108) The control part 110 of the 
issuer apparatus 100 obtains a token exchange format 
35 e=(ei, 63, e.^ , e^ , 65, e^, e^, eg) by using Spj^j in the 
signature part 120 and the verification key Pkl 
retained by the control part 110. Each element in e 



is shown below. When issuing the digital ticket, 
since &^ and eg are dummy data, each of and eg can 
take any value. 

©2= Ca 
63= S-^ 
64= S2 

65= Spj,i(Ci II C2 II C3 II C4 ) 
ee= Pkl 
67= any 
eg= any 

Step 1109) The control part 110 sends e to 
the control part 210 of the user apparatus 200. 

Step 1110) The control part 210 sends e to 
the control part 230 and requests control part 230 
to store the token in e. 

Step 1111) The control part 230 in the 
tamper-proof device 280 verifies that following 
formulas are satisfied by using the authentication 
part 240. If the verification fails, the process 
after that is interrupted and the control part 230 
notifies the control part 110 in the issuer device 
100 of the process interruption via the control part 
210 . 

e3=H(PkU) (1) 

e^GR^ (2) 

Vee(ei II 62 II e3 II e, , e^) =1 (3) 

e,= H(eJ (4) 

The above-mentioned formulas (1) and (2) 
mean verification of validity of the session 
information. Using the verification, fraud can be 
prevented. Such fraud may be, for example, storing 
a token exchange format in an other user apparatus 
200 or reproducing a token by reusing the token 
exchange format. 

The formula (3) means verification of 
validity of the signature of the token exchange 



format. According to the verification, tampering 
with the token exchange format can be prevented. 

The formula (4) means verification of the 
validity of the token issuer information. According 
to the verification, storing token Issued by an 
issuer other than the signer of the token can be 
prevented. 

Step 1112) The control part 230 in the 
tamper-proof device 280 of the user apparatus 200 
deletes e4(=r,j ) from the number set Rj, in the 
storing part 270. 

Step 1113) The control part 230 adds (e^, 
e^) to Cu in the storing part 270. 

Step 1114) The control part 230 sends (e^, 
eg) to the control part 210 to notify of a normal 
end. 

Step 1115) The control part 210 verifies 
that following formulas are satisfied. If the 
verification fails, the process is interrupted and 
the control part 230 notifies the control part 110 
in the issuer apparatus 100 of the process 
interruption . 

ei=H(m) (5) 

62 ei„ (6) 

The formulas (5) and (6) mean verification 
that the sent token corresponds to the subject 
digital ticket and was issued by a proper issuer. 
According to the verification, it is verified that 
the issued ticket is valid. 

(2) Transferring a digital ticket 

The digital ticket transferring process 
from the user apparatus 200a to the user apparatus 
200b via the connection apparatus 400 will be 
described in the following. 

Fig. 18 and Fig. 19 are sequence charts 
showing the digital ticket transferring process 
according to an embodiment of the present invention. 



In the figures, the connection apparatus 400 
existing between the two user apparatuses 200a and 
200b is not shown. "a" is added to the name of each 
element of the user apparatus 200a and "b" is added 
to the name of each element of the user apparatus 
200b. 

Step 2201) The control part 210a extracts 
the digital ticket m which is an object to be 
transferred from a set M^^ retained by the storing 
part 220a. 

Step 2202) The control part 210a of the 
user apparatus 200a extracts the accredited 
information (t^, t^, t^) generated by the issuer of m 
from Tua included in the storing part 220a. 

Step 2203) The control part 210a sends m 
and (ti, t^, tj) to the control part 210b of the user 
apparatus 200b. 

Step 2204) The control part 210b stores m 
in a set M^^ in the storing part 220b and stores (t^, 
tj, tj) in an accredited information set T^^ in the 
storing part 220b. 

Step 2205) The control part 210b requests 
to generate session information (s^, Sa) to the 
control part 230b in the tamper-proof device 280b. 

The control part 230b generates the 
session information (s^, Sj) according to the 
following procedure and sends it to the control part 
210b. 

(a) The control part 230b obtains a number r^^ 
generated by the number generation part 260b in the 
tamper-proof device 280b. 

(b) The number r„i^ is added to a number set R„t 
in the storing part 270b in the tamper-proof device 
280b. 

(c) The session information (s^, sj = (H(PkUb) , 
r^b ) is generated. Here, PkUb is a verification key 
held by the control part 210b. 



step 2206) The control part 210b sends 
the session information (s^, Sj) to the control part 
210a of the user apparatus 200. In addition, issuer 
information may be sent with the session 
information (s^, Sj). By providing notification of 
the issuer information beforehand, generating and 
sending a token exchange format which does not 
satisfy formula (16) or (26) can be prevented. 

Step 2207) The control part 210a sends (s^, 
sj and a hash value H(m) of the digital ticket to 
be transferred to the control part 230a. 

Step 2208) The control part 230a in the 
tamper-proof device 280a verifies that following 
formulas are satisfied for C^a which is stored in the 
storing part 270a. 

3c2((H(m), cjec^J, c^ei^^ (7) 

When and if the verification fails, the 
process after that is interrupted and the control 
part 210a is notified of the failure. 

The above formula (7) means verification 
that the token (H(m) , cj which corresponds to the 
digital ticket m to be transferred is stored in the 
storing part 270a. 

Step 2209) The control part 230a of the 
tamper-proof device 280a obtains a token exchange 
format e=(ei, q^. e^. e^, e^, e^, e, , eg) by using Sp^^^ 
which is included in the signature part 250a and 
verification keys PkUa, PkAa, and a key certificate 
(PkUa, Sp3,Aa(PkUa) ) which is included in the control 
part 210a of the user apparatus 200a. Each element 
of e is shown below, 
ei=H(m) 

©2=^2 

©5= Spku^(H(m) II C2 II Si II S2 ) 
PkUa 
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©7= Sp„^^{PkUa) 
ea= PkAa 

Step 2210) The control part 230a deletes 
(H(m), Cj) from the set C^^ if S2 is positive. 

Step 2211) The control part 230a sends e 
to the control part 210a. 

Step 2212) The control part 210a sends e 
to the control part 210b of the user apparatus 200b. 

Step 2213) The control part 210b sends e 
and the accredited information t to the control part 
230b in the tamper-proof device 280b. The control 
part 210b requests to store the token in e. 

Step 2214) The control part 230b verifies 
that all formulas below are satisfied by using the 
an authentication part 240b. If the verification 
fails, the process is interrupted and the control 
part 210b is notified of the interruption. 



The above formulas (8) and (9) mean 
verification of validity of the session information. 
According to the verification, fraud such as storing 
a token exchange format in a user apparatus other 
than the user apparatus 200b, reproducing a token by 
reusing the token exchange format or the like is 
prevented . 

The formula (10) means verification for 
the validity of the signer of the token exchange 
format. According to this verification, tampering 
of the token exchange format can be prevented. 

The formula (11) means verification of the 
key certificate of the signer. The formula (12) 



63= H(PkUb) 

Ve6(ei II ©2 II ©3 II ^4 

Ve8(e6, e,) =1 
H(e8) et, 

V,3(t 1, t ,) =1 
62= H(t3) 



(8) 
(9) 
(10) 
(11) 
(12) 
(13) 
(14) 
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means verification that the signer of the key 
certificate is included in the accredited objects in 
the accredited information. The formula (13) means 
verification of the validity of the accredited 
5 information. The formula (14) means verification 

that the signer of the accredited information is the 
same as the issuer of the token. According to the 
above verification, it is verified that the tamper- 
proof capability of the source of the token exchange 
10 format is assured by a party trusted by the issuer. 

Step 2215) The control part 230b deletes 
e^ (=rut>) from the number set R„i, in the storing part 
270b. 

Step 2216) The control part 230b adds (e^, 
15 ea) to the set C^^, in the storing part 270b. 

Step 2217) The control part 230b notifies 
the control part 210b of the normal completion of 
the process. 

Step 2218) The control part 210b verifies 
20 that all formulas below are satisfied. If the 

verification falls, the process is interrupted and 
the control part 210a is notified of the 
interruption. If the verification succeeds, the 
control part 210a is notified of the normal 
25 completion of the process. 

H(m) (15) 
e^ei^, (16) 

The formulas (15) and (16) mean 
verification that the sent token corresponds to the 
30 subject digital ticket and was issued by a proper 
issuer. According to the verification, it is 
verified that the transferred ticket is valid. 

When the Issuer information is managed 
data by data in the control part 210b, e^ e i^^ (m) is 
35 substituted for the formula (16). 

(3) Consuming the digital ticket 

The digital ticket consuming process from 



the user apparatus 200 to the collector apparatus 
300 via the connection apparatus 400 will be 
described in the following. 

Fig. 20 is a sequence chart of the ticket 
consuming process according to an embodiment of the 
present invention. In the figure, the connection 
apparatus 400 existing between the user apparatus 
200 and the collector apparatus 300 is not shown. 

Step 3301) The control part 210 extracts a 
digital ticket m to be consumed from M„ which is 
included in the storing part 220. 

Step 3302) The control part 210 extracts 
the accredited information (t^, t^, t^) generated by 
the issuer of m from T^ included in the storing part 
220 . 

Step 3303) The control part 210 sends m 
and (ti, tj, ta) to the control part 310 of the 
issuer apparatus 300. 

Step 3304) The control part 310 generates 
session information (s^, s^) according to the 
following procedure. 

(a) The control part 310 obtains a number r^ 
from the number generation part 330. 

(b) The number r^, is added to a number set 
in the storing part 340. 

(c) The session information (s^, S2)=(H(PkE), 
rj.) is generated- Here, PkE is a verification key 
held by the control part 310. 

Step 3305) The control part 310 sends the 
session information (s^, s^) to the control part 210 
of the user apparatus 200. 

Step 3306) The control part 210 sends (s^^, 
S2) and a hash value H(m) of the digital ticket to 
be consumed to the control part 230 of the tamper- 
proof apparatus 280. 

Step 3307) The control part 230 verifies 
that following formulas are satisfied for C„ which 
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ls stored in the storing part 270. 

□ c2((H(m), c,)^cj (17) 

When and if the verification fails, the 
process after that is interrupted and the control 
part 210 is notified of the failure. 

The above formula (17) means verification 
that the token (H(m) , cj which corresponds to the 
digital ticket m to be consumed is stored in the 
storing part 270 of the tamper-proof device 280. 

Step 3308) The control part 230 obtains a 
token exchange format e={e^, 63, 63, e^, 65, e^, e.j , 
eg) by using the signature function Spj.^ which is 
Included in the signature part 250 and verification 
keys PkU, PkA, and a key certificate ( PkU , Sp^^ (PkU)) 
which are included in the control part 210. Each 
element of e is shown below. 
ei=H{m) 



©5= Sp„u(H(m) II C2 II Si II S2 ) 
PkU 

e,= Sp^A (PkU) 
e8= PkA 

Step 3309) The control part 230 of the 
tamper-proof device 280 deletes (H(m) , cj from 
when S2 is positive. 

Step 3310) The control part 230 sends e to 
the control part 210. 

Step 3311) The control part 210 sends e to 
the control part 310 of the collector apparatus 300. 

Step 3312) The control part 310 verifies 
that all formulas below are satisfied by using the 
authentication part 320. If the verification fails, 
the process is interrupted and the control part 210 
of the user apparatus 200 is notified of the 
interruption . 
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63= H(PkE) (18) 

e,G Re (19) 
V,6(ei II 02 II 63 II e,, 65)= 1 (20) 

Ve8(e6, e,) =1 (21) 

H(e8)eti (22) 

V„(t t J =1 (23) 

H(t3) (24) 



The above formulas (18) and (19) mean 
verification of validity of the session information. 
According to the verification, fraud such as storing 
a token exchange format to a collector apparatus 
other than the collector apparatus 300, reproducing 
a token by reusing the token exchange format or the 
like is prevented. 

The formula (20) means verification for 
the validity of the signer of the token exchange 
format. According to this verification, tampering 
of the token exchange format can be prevented. 

The formula (21) means verification of the 
key certificate of the signer. The formula (22) 
means verification that the signer of the key 
certificate is included in the accredited objects in 
the accredited information. The formula (23) means 
verification of the validity of the accredited 
information. The formula (24) means verification 
that the signer of the accredited information is the 
same as the issuer of the token. According to the 
above verification, it is verified that the tamper- 
proof capability of the source of the token exchange 
format is assured by a party trusted by the issuer. 

Step 3313) The control part 310 of the 
collector apparatus 300 deletes e^ i=r^) from in 
the storing part 340. 

Step 3314) The control part 310 verifies 
that all formulas below are satisfied. If the 
verification fails, the control part 210 of the user 
apparatus 200 is notified of the process 



interruption. If the verification succeeds, a 
service corresponding to m is provided to the 
consumer . 

ei= H(m) (25) 
62^1^ (26) 

The formulas (25) and (26) means 
verification that the sent token corresponds to the 
subject digital ticket and was issued by a proper 
issuer. According to the verification, it is 
verified that the consumed ticket is valid. 

When the Issuer information is managed 
data by data in the control part 310, &2 (i") is 

substituted for the formula (26). 

(4) Presenting the digital ticket 
Presentation of the digital ticket can be 
realized by modifying the process of the ticket 
consumption as follows. 

- The control part 310 generates (s^, 
S2)=(H(PkE), -rj in (c) of the step 3304. 

- A formula -64^ Re is substituted for the 
formula (19) in the step 3312. 

According to the above-mentioned 
modification, since S2 becomes negative, (H(m) , c^) 
is not deleted from in step 3309. That is, it 
becomes possible to verify that the user apparatus 
has a valid digital ticket at the time of the 
presentation while the valid digital ticket remains 
in the user apparatus. Thus, the inspection of the 
digital tickets becomes possible. 

In the above descriptions (l)-(4), the 
sent token exchange format is not explicitly stored. 
On the other hand, storing the token exchange format 
in the storing part 220 produces an effect. That is, 
the user apparatus can send the history of the token 
exchange format when sending m. As a result, it 
becomes possible to Identify a fraudulent apparatus 
when fraud (double spending) is found. The fraud 



may be, for example, that the tamper-proof device 2 8 
is cracked. 

(5) Returning the digital ticket 

The collector can return the digital 
ticket which has been consumed or presented to the 
issuer. Then, the issuer can pay a value to the 
collector. Accordingly, a value such as a fee can 
be paid to the issuer who has collected or inspected 
a digital ticket while preventing double-billing. 

In the following, the process for 
returning will be described. 

The issuer apparatus 100 further includes 
a part (a storing part 160) for storing the token 
exchange format e and a part for storing or 
obtaining data m corresponding to the returned 
ticket and accredited information (t^, t^. t^) . 

The process for returning the digital 
ticket which is consumed or presented at the issuer 
apparatus 300 will be describe. 

Step 5501) The issuer apparatus 300 sends 
the token exchange format e which is consumed or 
presented to the issuer apparatus 100. 

Step 5502) The control part 100 of the 
issuer apparatus 100 verifies that a formula e2= 
H(Pkl) is satisfied in which is included in e. 
When and if the verification fails, the issuer 
apparatus is notified of the failure and the process 
is interrupted. According to the verification, it 
is verified that e corresponds to the digital ticket 
which is issued by the issuer apparatus 100 itself. 

Step 5503) The control part 110 verifies 
that the formulas (20) -(22) are satisfied for e. 
When the accredited information (t^, t^. tj) is 
obtained via an unreliable route (for example, via 
the issuer), the formulas (23) and (24) are also 
verified. In this case, when verifying the formula 
(24), Pkl is substituted for t^. When the 
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verification fails, the issuer apparatus 300 is 
notified of the failure and the process is 
interrupted. According to the verification, it is 
verified that e is circulated via a valid 
5 circulation route. 

Step 5504) The control part 110 verifies 
that the tamper-proof capability of is not 
assured by any third party which is trusted by t^ in 
which 63 is included in e when e4 is positive. 

10 Accordingly, it is verified that the valid token is 
not stored, that is, the right of the ticket is 
properly terminated due to consumption. 

Step 5505) The control part 110 stores 
e in the storing part 160. If e has been already 

15 stored in the storing part 160, the issuer apparatus 
300 is notified of the failure and the process is 
interrupted. 

Step 5506) The issuer provides a value 
according to the returned digital ticket to the 

20 issuer. 

(6) Book of tickets 

A book of tickets can be realized by 
adding number information or time information to the 
token of the token exchange format. The number 
25 information is assumed to be the number of the 
ticket . 

Accordingly, when a plurality of digital 
tickets issued by the same issuer and having the 
same contents are issued, the digital tickets can be 
30 treated properly and a plurality of same tokens can 
be sent effectively. 

Specifically, by modifying the above- 
mentioned embodiments, the book of tickets can be 
realized . 

3 5 - Number information C3 is added to the token. 

- Number information e„ is added to the token 
exchange format. 



-55- 



- In the process of Issuing the digital ticket, 
the number of tickets is specified as N when the 
token is generated (step 1102). 

- In the process of transferring/consuming the 

5 digital ticket, when the step 2207 or the step 3306 
is performed, the number of the digital tickets to 
be transferred/consumed is specified as n. 

- In the process of transferring/consuming the 
digital ticket, when it is verified that the token 

10 is stored in step 2208 or step 3307, it is verified 
that the number of the tickets is adequate. That is 
it is verified that C,, includes (c^, , c^) in which 
Ci=H(m) n C3>:n is satisfied. 

- When the token exchange format is generated in 
15 step 1108, step 2209 or step 3308, e„ =n is added 

and n is added and concatenated to the object to be 
signed in 65 such that c^ II C2 II s Jl S2 II n is obtained. 

- In the process of transferring/consuming, when 
deleting the token (when is positive in step 2210 

20 or step 3309), (H(m), , c^, ) is deleted from C„ 
only when C3 =n is satisfied. When C3 < n, (H(m), 
C3 ) in Cu is updated to (H(m) , Cj , C3 -n) . 

- When verifying the token exchange format in step 
1111, step 2214 or step 3312, e„ is added and 

25 concatenated to the object to be verified in the 

signature verification by 65 (the formulas (3), (10) 
and (20)) such that e Jl II 63 II e^ II e„ is obtained. 

- In the process of issuing/ transferring 
the digital ticket, when storing the token in step 

30 1113 or step 2216, if already includes a token (c^ 
03,03) in which ei = Cj^ and 62=03 are satisfied, the 
token (c^, Cj, C3 ) in is updated to (c^, Cj , C3 + 
en) • 

- In the process of consuming/returning 
35 the digital ticket, the service or the value may be 

provided a plurality of times according to e^. 
(7) Retransmission control 
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The token can be retransmitted while 
preventing reproduction after abnormal conditions 
such as unintentional disconnection of a route are 
encountered. In the following, the process for the 
5 retransmission will be described. Specifically, the 
following procedures are added to some steps in the 
above-mentioned embodiments. 

- The control part 110 or 230 retains the 
token exchange format e generated in step 1108, step 

10 2209 or step 3308. 

- The control part 210 or 310 notifies the 
control part 110 or 210 which sent the digital 
ticket of (Si, 32 ) when acknowledgment of receipt is 
sent in normal completion in step 1115, step 2218, 

15 or in providing a service in step 3314. 

- The control part 110, 210 deletes the token 
exchange format corresponding to (s^, s^) after the 
acknowledgment of receipt is received. 

When carrying out retransmission, some 
20 steps of the above-mentioned embodiment are modified 
as shown below. 

- When the session information is obtained 
in step 1106, 2205 or 3304, the session information 
is not newly generated. Instead, the session 

25 information (s^, sj stored in the storing part 220 
or 340 is used. 

- In step 1108, steps 2208-2210, and steps 
3307-3309, if the control part 110 or 210 has e in 
which (e3=Si )n(e4 = S2 ) is satisfied, e is not newly 

30 generated and the retained e is used. 

(8) Variations of issuing 
Since the issue of the digital ticket can 
be assumed to be ticket (token) generation and 
transferring the ticket logically, the digital 
35 ticket can be issued by using the ticket 

transferring process described below for example. 
The amount of processing necessary for the process 
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increases as compared with the ticket issuing 
process described above, since the verification 
process of the ticket transferring is more complex 
than that of the ticket issuing. 

(8-1) Use of self -certificate 
According to the after mentioned process, 
the verification process of the token exchange 
format by the control part 230 is different between 
ticket issuing (step 1111) and ticket transferring 
(step 2214). Implementation cost can be decreased 
by unifying the verification process as one in step 
2214 . 

The control part 110 includes a key 
certificate (Pkl. Sp^j (Pkl)) by itself. As 
described below, by modifying the ticket issuing 
process, the process of the control part 230 which 
is in the receiving side can be unified. 

- The issuer apparatus includes the self 
hash value H(Pkl) in the accredited object t^ by the 
issuer when the accredited information generation 
part 150 generates the accredited information in 
step 1103. 

- e^= Spki (Pkl) and e8= Pkl are used when 
the token exchange format e is generated in step 
1108 . 

- The formulas (8) -(14) are used instead 
of the formulas (l)-(4) when the token exchange 
format e is verified in step 1111. U is substituted 
for Ub. 

(8-2) Issuing the digital ticket by a user 

apparatus 

As mentioned below, the user apparatus can 
issue the digital ticket by having a capability of 
generating a token issued by the user apparatus. 

The process will be described in the 
following. In the description, it is assumed that 
data m is already generated. 
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- The control part 210 provides a hash 
value H(m) of data m which corresponds to the 
digital ticket and the accredited object ti= 
{H(PkAj, HCPkAJ H{PkAJ} to the control part 

5 230 . 

- The control part 230 stores (H(m) , 
H(PkU)) in the storing part 270 by using the 
verification key PkU. 

The control part 230 generates t2= 

10 Sp„„(H(PkAi) II HCPkAj II ... II H(PkAi) ) by using the 
signature part 250. 

- The control part 230 returns (ti, t^, 
t3= PkU) to the control part 210. The control part 
210 stores (t^, t2, t^) in the storing part 220. 

15 After that, the digital ticket is sent. 

The above-mentioned examples of returning 
the tickets, the book of the tickets, retransmission 
control, and variations of Issuing can be applied to 
the first embodiment. 

20 Each element of the issuer apparatus 100, 

the user apparatus 200 or the collector apparatus 
300 can be constructed by a program. The program 
can be stored in a disk unit connected to a computer 
which may be used as the issuer apparatus, the user 

25 apparatus or the collector apparatus. The program 
can be also stored in a transportable computer 
readable medium such as a floppy disk, a CD-ROM or 
the like. The program may be installed from the 
computer readable medium to a computer such that the 

30 present invention is realized by the computer. 

Fig. 21 is a block diagram showing a 
hardware configuration of such a computer. As shown 
in Fig. 21, the computer system includes a CPU 500 by 
which a process of a program is executed, a memory 

35 501 for temporarily storing data and a program, an 
external storage unit 502 for storing data and a 
program to be loaded into the memory 501, a display 



503 for displaying data, a keyboard 504 for 
inputting data or commands, and a communication 
processing unit 505 which enables the computer 
system to communicate with other computers via a 
network. The program is installed in the external 
storage unit 502 then loaded into memory 501 and 
executed by the CPU 500. 

As mentioned above, according to the 
second embodiment of the present invention, the 
token can be transmitted only via routes which are 
trusted by the issuer and the user or the collector 
identified by the issuer. Thus, the occurrence of 
the token corresponding to the data being newly 
stored in the token storing part by a person other 
than the issuer indicated by the token issuer 
information in the token can be prevented. In 
addition, the occurrence of the token being 
reproduced to a plurality of the token storing parts 
while the token is transferred can be prevented. 

In addition, by regarding data with the 
token issued by a specific issuer as original, it 
becomes possible to restrict the number issuances of 
the original data by the issuer. 

Further, by using an information 
identifier such as an URL which exists in an network 
as data, an access right of the information which 
can not be reproduced and can be transferred can be 
provided . 

Further, by using a ticket with the 
correct contents or by using an identifier of the 
ticket, only the ticket that has a valid token can 
be regarded as a valid ticket and a user or a 
collector can refuse a ticket other than the valid 
ticket. Thus, fraudulent use (for example, double 
spending and illegal reproduction) of the ticket can 
be prevented. 

Furthermore, by using a program as data of 
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the present invention and by using the token issued 
by a specific issuer as a license of the program, 
illegal copying and use of the program can be 
prevented. In this case, the program execution 
apparatus can refuse to execute a program other than 
the program with the token. 

Further, by using music data or image data 
as data of the present invention, illegal copying 
and use of the music data or image data, in which 
the token issued by a specific issuer is used as an 
appreciation right can be prevented. A display 
apparatus of the data or a playback apparatus can 
refuse to display or playback data other than the 
data with the token. 

The present invention is not limited to 
the specifically disclosed embodiments, and 
variations and modifications may be made without 
departing from the scope of the invention. 
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WHAT IS CLAIMED IS: 



1. An original data circulation system for 
storing or circulating original data which is 
digital information, said system comprising: 

an apparatus including: means for 
generating first information corresponding to an 
issuer apparatus for issuing data; means for sending 
said first Information; and means for sending second 
Information corresponding to said data; and 

an apparatus including: means for 
verifying validity of said first information which 
is received; means for verifying that an issuing 
apparatus corresponding to valid first information 
is valid; and means for determining that data 
corresponding to said second information is valid 
when said issuer apparatus is valid. 



2. An original data circulation method in 
an original data circulation system for storing or 
circulating original data which is digital 
information, said method comprising the steps of: 

generating first information corresponding 
to an issuer apparatus for issuing data; 

sending said first information; 

sending second information corresponding 
to said data; 

verifying validity of said first 
information which is received; 

verifying that an issuing apparatus 
corresponding to valid first information is valid; 
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and 

determining that data corresponding to 
said second information is valid when said issuer 
apparatus is valid. 



3. A data storing method of storing 
10 digital information which has a value, comprising 
the steps of : 

generating first information which is 
digital information with a signature signed by an 
issuer apparatus of said digital information; 
15 generating, by said issuer apparatus, 

second information, said second information being a 
manifest corresponding to said digital information; 

verifying, by a user apparatus. Identity 
of said issuer apparatus by using said first 
20 information and said second information; and 

preventing reproduction of said digital 
information , 



4 . The data storing method as claimed in 
claim 3, comprising the steps of: 

obtaining a verification key issued by a 
30 server which is stringently managed concerning 
issuance of digital information; 

generating, by said user apparatus, 
session information from said verification key; and 
verifying validity of said session 
35 information. 
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5. The data storing method as claimed In 
claim 3, comprising the steps of: 
5 verifying the Identity of said Issuer 

apparatus by storing said second information in a 
tamper-proof device; and 

preventing reproduction of said digital 
information . 

10 



6. A data storing system for storing 
15 digital information which has a value, comprising: 
an issuer apparatus for generating first 
Information which is digital information with a 
signature and generating second information which is 
a manifest corresponding to said digital 
20 information; and 

a user apparatus for verifying the 
identity of said issuer apparatus by using said 
first information and said second information; and 
preventing reproduction of said digital 
25 information. 



30 7, The data storing system as claimed in 

claim 6, said user apparatus further comprising 
means for obtaining a verification key issued by a 
server which is stringently managed concerning issue 
of digital information; 

35 said data storing system further 

comprising a collector apparatus including: 

means for generating session Information 
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from a verification key; and 

means for verifying the validity of said 
session information. 



8. The data storing system as claimed in 
claim 6, said user apparatus further comprising: 

means for verifying the identity of said 
issuer apparatus by storing said second information 
in a tamper-proof device; and 

preventing reproduction of said digital 
information . 



9 . A user apparatus for using digital 
information in a data storing system for storing 
digital information which has a value, comprising: 

first storing means for storing and 
extracting digital information with a signature; 

second storing means for storing and 
extracting a manifest corresponding to digital 
information ; 

first authentication means for verifying 
that said manifest is valid; and 

first control means for storing said 
manifest in said second storing means only when said 
first authentication means verifies that said 
manifest is valid. 



10. The user apparatus as claimed in claim 
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9, said second storing means and said first 
authentication means having a tamper-proof 
capability. 

5 

11. The user apparatus as claimed in claim 
9, said first authentication means including: 
10 means for determining whether said digital 

information stored in said first storing means is 
valid by verifying that said manifest corresponding 
to said information is stored in said second storing 
means; and 

15 means for determining that said digital 

information is valid only when said manifest is 
stored in said second storing means and determining 
that said digital information is invalid when said 
manifest is not stored in said second storing means. 

20 



12. The user apparatus as claimed in claim 
25 9, further comprising: 

signature means for providing a signature 
to digital information; 

second authentication means for verifying 
that the signer of said manifest is included in 
30 accredited objects and for verifying that the signer 
of accredited information and the signer of said 
digital information are the same; and second control 
means , 

said second control means including: 
35 means for extracting said manifest from 

said second storing means when said user apparatus 
moves said manifest from said second storing means 
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to another storing means; 

means for providing said manifest a 
signature by using said signature means; 

means for deleting said manifest from said 
5 second storing means; 

means for verifying that the signer of 
said manifest is trusted by the signer of said 
digital information by using said second 
authentication means; and 
10 means for storing said manifest to said 

another storing means only when the verification 
succeeds . 



13. The user apparatus as claimed in claim 
9, further comprising: 

session information generation means for 
20 generating session information which has uniqueness 
in said data storing system; 

said session information including a 
verification key of said user apparatus and a serial 
number, being stored in said user apparatus, and 
25 sent to a sending party of said manifest; 

wherein said user apparatus receives said 
manifest and said session information from said 
sending party and verifies that validity of received 
session information by using stored session 
30 information such that said user apparatus prevents 
reproduction of said manifest. 



35 



14. An issuer apparatus for issuing 
digital information in a data storing system for 
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storlng digital information which has a value, said 
issuer apparatus comprising: 

accredited information generation means 
for generating accredited information which includes 
5 a set of information representing an accredited 
object trusted by the signer of said digital 
information; 

signature means for providing a signature 
to said digital information and to said accredited 
10 information; 

manifest generation means for generating 
said manifest; 

means for sending said digital information 
and said accredited information to a user apparatus; 
15 means for receiving session information 

which includes a verification key of said user 
apparatus and a serial number; and 

means for sending information including 
said manifest and said session information by using 
20 a verification key and a signature function of said 
issuer apparatus. 



25 

15. A collector apparatus for exercising a 
right of digital information in a data storing 
system for storing digital information which has a 
value, said collector apparatus comprising: 
30 means for receiving digital information 

with a signature of the issuer and accredited 
information with said signature from a user 
apparatus ; 

means for generating session information 
35 which has uniqueness in said data storing system and 
sending said session information to said user 
apparatus ; 
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means for receiving information including 
said manifest and said session information from said 
user apparatus; and 

means for verifying that said session 
5 information, said manifest and said accredited 
information are valid. 



10 

16. A data storing system for storing 
digital information which has a value, said data 
storing system comprising: 

a user apparatus for using digital 
15 information; 

an issuer apparatus for issuing digital 
information; and 

a collector apparatus for exercising a 
right of digital information; 
20 said user apparatus including: 

first storing means for storing and 
extracting digital information with a signature; 

second storing means for storing and 
extracting a manifest corresponding to digital 
25 information; 

first authentication means for verifying 
that said manifest is valid; and 

first control means for storing said 
manifest in said second storing means only when said 
30 first authentication means verifies that said 
manifest is valid; 

said issuer apparatus including: 

accredited information generation means 
for generating accredited information which includes 
35 a set of information representing an accredited 
object trusted by the signer of said digital 
Information ; 
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signature means for providing a signature 
to said digital information and to said accredited 
information ; 

manifest generation means for generating 
said manifest; 

means for sending said digital information 
and said accredited information to a user apparatus; 

means for receiving session information 
which includes a verification key of said user 
apparatus and a serial number; and 

means for sending information including 
said manifest and said session information by using 
a verification key and a signature function of said 
issuer apparatus; 

said collector apparatus including: 

means for receiving digital information 
with a signature of the issuer and accredited 
information with said signature from a user 
apparatus ; 

means for generating session information 
which has uniqueness in said data storing system and 
sending said session information to said user 
apparatus ; 

means for receiving information including 
said manifest and said session information from said 
user apparatus; and 

means for verifying that said session 
information, said manifest and said accredited 
information are valid. 



17. A computer readable medium storing 
program code for causing a computer to store digital 
information which has a value, said computer being 
used as an issuer apparatus in a data storing system. 
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said computer readable medium comprising: 

program code means for generating first 
information which is digital information with a 
signature; and 
5 program code means for generating second 

information, said second information being a 
manifest corresponding to said digital information. 



18, A computer readable medium storing 
program code for causing a computer to store digital 
information which has a value, said computer being 

15 used as a user apparatus in a data storing system, 
said computer readable medium comprising: 

program code means for verifying identity 
of said issuer apparatus by using said first 
information and said second information; and 

20 preventing reproduction of said digital 

information . 



25 

19. The computer readable medium as 
claimed in claim 18, comprising: 

program code means for obtaining a 
verification key issued by a server which is 
30 stringently managed concerning issue of digital 
Information ; 

program code means for generating session 
information from said verification key; and 

program code means for verifying validity 
35 of said session information. 
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20. A computer readable medium storing 
program code for causing a computer to store digital 
5 information which has a value, said computer being 
used as a user apparatus in a data storing system, 
said computer readable medium comprising: 

first storing program code means for 
storing digital information with a signature in a 
10 first storing means and extracting said digital 
information with a signature; 

second storing program code means for 
storing a manifest corresponding to digital 
information in a second storing means and extracting 
15 said manifest corresponding to digital information; 

first authentication program code means 
for verifying that said manifest is valid; and 

first authentication program code means 
for verifying that said manifest is valid. 

20 



21. The computer readable medium as 
25 claimed in claim 20, said first authentication 
program code means comprising: 

program code means for determining whether 
said digital information stored in said first 
storing means is valid by verifying that said 
30 manifest corresponding to said information is stored 
in said second storing means; and 

program code means for determining that 
said digital information is valid only when said 
manifest is stored in said second storing means and 
35 determining that said digital information is invalid 
when said manifest is not stored in said second 
storing means. 
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5 22. The computer readable medium as 

claimed in claim 20, comprising: 

signature program code means for providing 
a signature to digital information; 

second authentication program code means 
10 for verifying that the signer of said manifest is 
included in accredited objects and for verifying 
that the signer of accredited information and the 
signer of said digital information; 

program code means for extracting said 
15 manifest when said user apparatus moves said 
manifest ; 

program code means for providing a 
signature to said manifest by using said signature 
program code means; 
20 program code means for deleting said 

manifest from said second storing means; 

program code means for verifying that the 
signer of said manifest is trusted by the signer of 
said digital information by using said second 
25 authentication program code means; and 

program code means for moving said 
manifest only when the verification succeeds. 



23. A computer readable medium storing 
program code for causing a computer to store digital 
information which has a value, said computer being 
35 used as an issuer apparatus in a data storing system, 
said computer readable medium comprising: 

accredited information generation program 
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code means for generating accredited Information 
which Includes a set of Information representing 
accredited object trusted by the signer of said 
digital information; 
5 signature program code means for providing 

a signature to said digital Information and to said 
accredited information; 

manifest generation program code means for 
generating said manifest; 
10 program code means for sending said 

digital Information and said accredited information 
to a user apparatus; 

program code means for receiving session 
information which includes a verification key of 
15 said user apparatus and a serial number; and 

program code means for sending Information 
including said manifest and said session information 
by using a verification key and a signature function 
of said issuer apparatus. 

20 



24. A computer readable medium storing 
25 program code for causing a computer to store digital 
information which has a value, said computer being 
used as a collector apparatus in a data storing 
system, said computer readable medium comprising: 
program code means for receiving digital 
30 information with a signature of the issuer and 

accredited information with said signature from a 
user apparatus; 

program code means for generating session 
Information which has uniqueness in said data 
35 storing system and sending said session information 
to said user apparatus; 

program code means for receiving 
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information Including said manifest and said session 
Information from said user apparatus; and 

program code means for verifying that said 
session information, said manifest and said 
5 accredited information are valid. 



10 25. An original data circulation method in 

an original data circulation system for storing or 
circulating original data which is digital 
Information, said method comprising: 

a sending step of sending, by a first 

15 apparatus, originality information, said originality 
Information including first information which 
corresponds to an apparatus and second information 
which is data or Information corresponding to the 
data; and 

20 an Identifying step of identifying, by a 

second apparatus, a source apparatus of said 
originality Information; 

a first authentication step of determining 
that said originally information is valid when said 

2 5 source apparatus is authenticated; and 

a second authentication step of 
determining that said originality information is 
valid only when said source apparatus and an 
apparatus corresponding to said first Information of 

30 said originality information are the same. 



35 26. The original data circulation method 

as claimed in claim 25, said method further 
comprising : 
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10 

a 

O 2 0 

25 
30 



a step of concealing, by said, first 
apparatus, a private key; and 

a step of storing or obtaining, by said 
second apparatus, a hash value of said second 
apparatus which hash value is generated by applying 
a unidirectional function to a public key 
corresponding to one or a plurality of private keys; 

said first authentication step including: 

a step of authenticating said first 
apparatus by verifying that said first apparatus has 
a private key corresponding to said hash value. 



27. The original data circulation method 
as claimed in claim 25, wherein said sending step 
includes a step of sending a third party certificate 
to said second apparatus, said third party 
certificate being a certificate representing that 
said first apparatus is authenticated by one or a 
plurality of third parties, and said third party 
certificate corresponding to a certifier of a third 
party; 

said method further including: 
a step of storing or obtaining, by said 
second apparatus, third party information 
corresponding to one or a plurality of third 
parties ; 

said first authentication step including: 
a step of authenticating said first 
apparatus by verifying that said first apparatus is 
an object to be authenticated in said third party 
certificate and that a certifier of said third party 
certificate is included in third parties in said 
third party information. 
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28. The original data circulation method 
5 as claimed in claim 27, said method further 

comprising a step of storing or obtaining, by said 
second apparatus, third party accredited information 
corresponding to said first information and one or a 
plurality of third parties; 

10 said first authentication step including: 

a step of authenticating said first 
apparatus by verifying that said first apparatus is 
an object to be authenticated in said third party 
certificate and that a certifier of said third party 

15 certificate is included in third parties in said 
third party accredited information, said third 
parties corresponding to said first information and 
being extracted from said third party accredited 
information . 



29. The original data circulation method 
25 as claimed in claim 27, said method further 

comprising a step of storing or obtaining, said 
second apparatus, third party accredited information 
corresponding to said first information and one or a 
plurality of third parties; 
30 said first authentication step including: 

a step of authenticating said first 
apparatus by verifying that a certifier of said 
third party certificate is included in third parties 
extracted from said third party accredited 
35 information, said third parties corresponding to 

said first information and said second information. 
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30 . The original data circulation method 
5 as claimed in claim 25, said method further 
including : 

a step of concealing, by said first 
apparatus, a private key; and 

a step of sending a public key certificate 
10 and a signature by a private key, said public key 
certificate being a public key of said private key 
to which a signature by a third party which trusts 
said first apparatus is provided; 

a step of identifying, by said second 
15 apparatus, the public key of said third party by 
verifying said public key certificate; and 

a step of storing or obtaining one or a 
plurality of hash values; 

said first authentication step including: 
20 a step of authenticating said first 

apparatus by verifying that said signature by using 
said public key included in said public key 
certificate and by verifying that information 
generated by applying a unidirectional function to 
25 said public key of said third party is included in 
said hash values. 



30 

31. The original data circulation method 
as claimed in claim 25, said method further 
including a step of storing or obtaining, by said 
second apparatus, user accredited information 
35 corresponding to said first information and one or a 
plurality of third parties; 

said first authentication step including: 
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a step of authenticating said first 
apparatus by verifying that said source apparatus is 
included in information corresponding to said first 
apparatus extracted from said first information by 
5 using said user accredited information. 



10 32. The original data circulation method 

as claimed in claim 25, said method further 
including a step of storing or obtaining, by said 
second apparatus, user accredited information 
corresponding to one or a plurality of said first 

15 apparatuses from said first information and said 
second information; 

said first authentication step including: 
a step of authenticating said first 
apparatus by verifying that said source apparatus is 

20 included in information on said first apparatuses 
extracted from said user accredited information, 
said information corresponding to said first 
information and second information. 

25 

33. An original data circulation system 
for storing or circulating original data which is 
30 digital information, said system comprising: 

a first apparatus which includes sending 
means for sending originality information, said 
originality information including first information 
which corresponds to an apparatus and second 
35 information which is data or information 
corresponding to the data; and 

a second apparatus which includes: 
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identifying means for identifying a source 
apparatus of said originality information; 

a first authentication means for 
determining that said originally information is 
5 valid when said source apparatus is authenticated; 
and 

a second authentication means for 
determining said originality information is valid 
only when said source apparatus and an apparatus 
10 corresponding to said first information of said 
originality information are the same. 



15 

34. The original data circulation system 
as claimed in claim 33, wherein said first apparatus 
further includes means for concealing a private key; 

said second apparatus further including 
20 means for storing or obtaining a hash value of said 
second apparatus which hash value is generated by 
applying a unidirectional function to a public key 
corresponding to one or a plurality of private keys; 
and 

25 said first authentication means of said 

second apparatus authenticating said first apparatus 
by verifying that said first apparatus has a private 
key corresponding to said hash value. 

30 



35. The original data circulation system 
as claimed in claim 33, wherein said sending means 
35 includes means for sending a third party certificate 
to said second apparatus, said third party 
certificate being a certificate representing that 
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said first apparatus is authenticated by one or a 
plurality of third parties, and said third party 
certificate corresponding to a certifier of a third 
party; 

5 said second apparatus including means for 

storing or obtaining third party information 
corresponding to one or a plurality of third 
parties; and 

said first authentication means 

10 authenticating said first apparatus by verifying 
that said first apparatus is an object to be 
authenticated in said third party certificate and 
that a certifier of said third party certificate is 
included in third parties in said third party 

15 information. 



20 36. The original data circulation system 

as claimed in claim 35, wherein said second 
apparatus includes means for storing or obtaining 
third party accredited information corresponding to 
said first information and one or a plurality of 

25 third parties; 

said first authentication means 
authenticating said first apparatus by verifying 
that said first apparatus is an object to be 
authenticated in said third party certificate and 

30 that a certifier of said third party certificate is 
included in third parties in said third party 
accredited information, said third parties 
corresponding to said first information and being 
extracted from said third party accredited 

35 information. 
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37. The original data circulation system 
as claimed in claim 35, wherein said second 
5 apparatus includes means for storing or obtaining 
third party accredited information corresponding to 
said first information and one or a plurality of 
third parties; 

said first authentication means 
10 authenticating said first apparatus by verifying 

that a certifier of said third party certificate is 
included In third parties extracted from said third 
party accredited information, said third parties 
corresponding to said first information and said 
15 second information. 



20 38. The original data circulation system 

as claimed in claim 33, wherein said first apparatus 
includes : 

means for concealing a private key; and 
means for sending a public key certificate 
25 and a signature by a private key, said public key 
certificate being a public key of said private key 
to which a signature by a third party which trusts 
said first apparatus is provided; 

said second apparatus including: 
30 means for identifying the public key of 

said third party by verifying said public key 
certificate; and 

means for storing or obtaining one or a 
plurality of hash values; and 
35 said first authentication means 

authenticating said first apparatus by verifying 
that said signature by using said public key 
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included in said public key certificate and by 
verifying that information generated by applying a 
unidirectional function to said public key of said 
third party is included in said hash values. 

5 



39. The original data circulation system 
10 as claimed in claim 33, wherein said second 

apparatus includes means for storing or obtaining 
user accredited information corresponding to said 
first information and one or a plurality of third 
parties ; 

15 said first authentication means 

authenticating said first apparatus by verifying 
that said source apparatus is Included in 
information corresponding to said first apparatus 
extracted from said first information by using said 

20 user accredited information. 



25 40. The original data circulation system 

as claimed in claim 33, wherein said second 
apparatus includes means for storing or obtaining 
user accredited information corresponding to one or 
a plurality of said first apparatuses from said 

30 first information and said second information; 

said first authentication means 
authenticating said first apparatus by verifying 
that said source apparatus is included in 
information on said first apparatuses extracted from 

35 said user accredited information, said information 
corresponding to said first information and second 
information . 
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5 41. An issuer apparatus in an original 

data circulation system for storing or circulating 
original data which is digital information, said 
issuer apparatus comprising: 

originality information generation means 

10 for generating originality information which 

includes first information corresponding to said 
issuer apparatus and second information 
corresponding to data or information corresponding 
to the data; and 

15 originality information sending means for 

sending said originality information. 



42. The issuer apparatus as claimed in 
claim 41, comprising: 

means for concealing a private key; and 
means for generating a hash value of said 
issuer apparatus as said first information, said 
hash value is generated from a public key of said 
private key by applying a unidirectional function. 



43. The issuer apparatus as claimed in 
claim 41, comprising means for generating said 
second information by applying an unidirectional 
35 function to said data. 



44. The Issuer apparatus as claimed in 
claim 43, wherein said second information is an 
identifier which identifies contents in a network. 



45. A user apparatus in an original data 
circulation system for storing or circulating 
original data which is digital information, said 
user apparatus comprising: 

originality information sending means for 
sending originality information which includes first 
information corresponding an apparatus and second 
information corresponding to data or information 
corresponding to the data; 

identifying means for identifying a source 
apparatus of said originality information which is 
sent from an apparatus; 

authentication means for determining that 
said originality information is valid when said 
source apparatus is authenticated or when said 
apparatus corresponding to said first information 
and said source apparatus is the same; and 

storing means for storing said originality 
information when said authentication means 
determines that said originality Information is 
valid. 



35 



46. The user apparatus as claimed in claim 
45, comprising means for deleting said originality 
information when said user apparatus sends said 
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origlnallty Information, 



5 

47. A collector apparatus in an original 
data circulation system for storing or circulating 
original data which is digital information, said 
collector apparatus comprising: 
10 identifying means for identifying a source 

apparatus of originality informations- 
authentication means for authenticating 
said source apparatus; and 

data processing means for performing a 
15 process corresponding to said data or data 

corresponding to said second information when said 
authentication means determines that said 
originality information which is sent to said 
collector apparatus is valid. 

20 



48. The collector apparatus as claimed in 
25 claim 47, said collector apparatus further 

comprising means for storing or obtaining issuer 
information; 

said data processing means performing a 
process corresponding to said data or data 
30 corresponding to said second information when said 
authentication means determines that said 
originality information which is sent to said 
collector apparatus is valid and when said issuer 
apparatus corresponding to said first information is 
35 included in said issuer information. 
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49. An original data circulation system 
for storing or circulating original data which is 
5 digital information, said original data circulation 
system comprising: 

an issuer apparatus which includes means 
for generating originality information and sending 
said originality information, said originality 
10 information including first information 

corresponding to said issuer apparatus and second 
information corresponding to data; 

a user apparatus which includes means for 
verifying validity of a source apparatus of said 
15 originality information and means for storing said 
originality information when said validity is 
verified; and 

a collector apparatus which includes means 
for verifying validity of an source apparatus of 
20 said originality information and data processing 
means for processing data corresponding to said 
second information when said validity is verified. 



50. An original data circulation system 
for storing or circulating original data which is 
digital information, said original data circulation 
30 system comprising: 

an issuer apparatus including: 
first originality information generation 
means for generating originality information which 
includes first information corresponding to said 
35 issuer apparatus and second information 

corresponding to data or information corresponding 
to the data; and 
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flrst originality information sending 
means for sending said originality information; 

a user apparatus including: 

first originality information sending 
5 means for sending originality information which 
includes first information corresponding to an 
apparatus and second information corresponding to 
data or information corresponding to the data; 

first identifying means for identifying a 
10 source apparatus of said originality information 
which is sent from an apparatus; 

first authentication means for determining 
that said originality information is valid when said 
source apparatus is authenticated or when said 
15 apparatus corresponding to said first information 
and said source apparatus is the same; and 

storing means for storing said originality 
information when said first authentication means 
determines that said originality information is 
2 0 valid; and 

a collector apparatus including: 

second identifying means for identifying a 
source apparatus of originality information; 

second authentication means for 
25 authenticating said source apparatus; and 

data processing means for performing a 
process corresponding to said data or data 
corresponding to said second information when said 
second authentication means determines that said 
30 originality information which is sent to said 
collector apparatus is valid. 



35 



51. The original data circulation system 
as claimed in claim 49, said collector apparatus 
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further comprising means for sending said 
originality information sent from said user 
apparatus to said issuer apparatus; 

said issuer apparatus further comprising: 
5 means for verifying that said originality 

information is generated by said issuer apparatus; 

means for verifying that said originality 
information is sent via a valid route; 

means for verifying that said data 
10 corresponding to said second Information has been 
processed by said data processing means; and 

means for providing a value according to 
said data to said collector apparatus. 



52 . The original data circulation system 
as claimed in claim 49, said issuer apparatus 
20 further comprising means for adding a usable number 
of said data as count information to said 
originality information; 

said user apparatus further comprising 
means for verifying said count information; 
25 said collector apparatus further 

comprising means for verifying said count 
information ; 

wherein said user apparatus can use said 
data said usable number of times. 

30 



53. The original data circulation system 
35 as claimed in claim 49, wherein an apparatus in said 
data circulation system sends session information 
which has uniqueness in said data circulation system 
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when said apparatus sends said originality 
information ; 

an apparatus of the sending side which 
sends said originality information stores said 
originality information and said session information 
in said apparatus of the sending side; 

an apparatus of the receiving side sends 
said session information to said apparatus of the 
sending side when receiving said originality 
information; and 

said apparatus of the sending side deletes 
said originality information and said session 
information which are stored in said apparatus of 
the sending side. 



54. The original data circulation system 
as claimed in claim 49, said user apparatus further 
comprising means for generating said originality 
information . 



55, A computer readable medium storing 
program code for causing a computer in an original 
data circulation system to store or circulate 
original data which is digital information, said 
computer readable medium comprising: 

first program code means which is loaded 
in a first apparatus, first program code means 
comprising sending program code means for sending 
originality information, said originality 
information including first information which 
corresponds to an apparatus and second information 
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whlch is data or information corresponding to the 
data; and 

a second program code means which is 
loaded in a second apparatus, said second program 
5 code means comprising: 

identifying program code means for 
identifying a source apparatus of said originality 
information; 

first authentication program code means 
10 for determining that said originally information is 
valid when said source apparatus is authenticated; 
and 

second authentication program code means 
for determining that said originality information is 
15 valid only when said source apparatus and an 

apparatus corresponding to said first information of 
said originality information are the same. 

20 

56. The computer readable medium as 
claimed in claim 55, said first program code means 
further comprising program code means for concealing 

25 a private key; 

said second program code means further 
comprising program code means for storing or 
obtaining a hash value of said second apparatus 
which hash value is generated by applying a 

30 unidirectional function to a public key 

corresponding to one or a plurality of private keys; 

said first authentication program code 
means including program code means for 
authenticating said first apparatus by verifying 

35 that said first apparatus has a private key 
corresponding to said hash value. 
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57. The computer readable medium as 
5 claimed In claim 55, said sending program code means 
including : 

program code means for sending a third 
party certificate to said second apparatus, said 
third party certificate being a certificate 

10 representing that said first apparatus is 

authenticated by one or a plurality of third parties, 
and said third party certificate corresponding to a 
certifier of a third party; 

said second program code means further 

15 including program code means for storing or 

obtaining third party information corresponding to 
one or a plurality of third parties; and 

said first authentication program code 
means including program code means for 

20 authenticating said first apparatus by verifying 
that said first apparatus is an object to be 
authenticated in said third party certificate and 
that a certifier of said third party certificate is 
included in third parties in said third party 

25 information. 



30 58. The computer readable medium as 

claimed in claim 57, said second program code means 
including program code means for storing or 
obtaining third party accredited information 
corresponding to said first information and one or a 

35 plurality of third parties; 

said first authentication program code 
means including program code means for 
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authenticatlng said first apparatus by verifying 
that said first apparatus is an object to be 
authenticated in said third party certificate and 
that a certifier of said third party certificate is 
5 included in third parties in said third party 
accredited information, said third parties 
corresponding to said first Information and being 
extracted from said third party accredited 
information . 

10 



59, The computer readable medium as 
15 claimed in claim 57, said second program code means 
Including program code means for storing or 
obtaining third party accredited information 
corresponding to said first Information and one or a 
plurality of third parties; 
20 said first authentication program code 

means including program code means for 
authenticating said first apparatus by verifying 
that a certifier of said third party certificate is 
included in third parties extracted from said third 
25 party accredited information, said third parties 
corresponding to said first information and said 
second information. 



30 

60. The computer readable medium as 
claimed in claim 55, said first program code means 
Including : 

35 program code means for concealing a 

private key; and 

program code means for sending a public 
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key certificate and a signature by a private key, 
said public key certificate being a public key of 
said private key to which a signature by a third 
party which trusts said first apparatus is provided; 
5 said second program code means including: 

program code means for identifying the 
public key of said third party by verifying said 
public key certificate; and 

program code means for storing or 
10 obtaining one or a plurality of hash values; 

said first authentication program code 
means including program code means for 
authenticating said first apparatus by verifying 
said signature by using said public key included in 
15 said public key certificate and by verifying that 
information generated by applying a unidirectional 
function to said public key of said third party is 
included in said hash values . 



61. The computer readable medium as 
claimed in claim 55, said second program code means 

25 including program code means for storing or 

obtaining user accredited information corresponding 
to said first information and one or a plurality of 
third parties; 

said first authentication program code 

30 means including program code means authenticating 
said first apparatus by verifying that said source 
apparatus is included in information corresponding 
to said first apparatus extracted from said first 
information by using said user accredited 

35 information. 
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62 . The computer readable medium as 
claimed in claim 55, said second program code means 
5 including program code means for storing or 

obtaining user accredited information corresponding 
to one or a plurality of said first apparatuses from 
said first information and said second information; 

said first authentication program code 
10 means including means for authenticating said first 
apparatus by verifying that said source apparatus is 
included in information on said first apparatuses 
extracted from said user accredited Information, 
said information corresponding to said first 
15 information and second information. 



20 63. A computer readable medium storing 

program code for causing a computer in an original 
data circulation system to store or circulate 
original data which is digital information, said 
computer being used as an issuer apparatus, said 

2 5 computer readable medium comprising: 

originality information generation program 
code means for generating originality information 
which includes first information corresponding to 
said issuer apparatus and second information 

30 corresponding to data or information corresponding 
to the data; and 

originality information sending program 
code means for sending said originality information. 

35 
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64. The computer readable medium as 
claimed in claim 63, further comprising: 

program code means for concealing a 
private key; and 
5 program code means for generating a hash 

value of said issuer apparatus as said first 
information, said hash value is generated from a 
public key of said private key by applying a 
unidirectional function. 



65. The computer readable medium as 
15 claimed in claim 63, further comprising program code 
means for generating said second information by 
applying an unidirectional function to said data. 



20 

66. The computer readable medium as 
claimed in claim 65, further comprising program code 
means for using an identifier which identifies 
25 contents in a network as said second information. 



30 67. A computer readable medium storing 

program code for causing a computer in an original 
data circulation system to store or circulate 
original data which is digital information, said 
computer being used as a user apparatus, said 

35 computer readable medium comprising: 

originality information sending program 
code means for sending originality information which 
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includes first information corresponding to an 
apparatus and second information corresponding to 
data or information corresponding to the data; 

identifying program code means for 
identifying a source apparatus of said originality 
information which is sent from an apparatus; 

authentication program code means for 
determining that said originality information is 
valid when said source apparatus is authenticated or 
when said apparatus corresponding to said first 
information and said source apparatus is the same; 
and 

storing program code means for storing 
said originality information when said 
authentication program code means determines that 
said originality information is valid. 



68. The computer readable medium as 
claimed in claim 67, further comprising program code 
means for deleting said originality information when 
said user apparatus sends said originality 
information . 



69. A computer readable medium storing 
program code for causing a computer in an original 
data circulation system to store or circulate 
original data which is digital information, said 
computer being used as a collector apparatus , said 
computer readable medium comprising: 

identifying program code means for 
identifying a source apparatus of originality 
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inf ormation; 

authentication program code means for 
authenticating said source apparatus; and 

data processing program code means for 
performing a process corresponding to said data or 
data corresponding to said second information when 
said authentication program code means determines 
that said originality information which is sent to 
said collector apparatus is valid. 



70. The computer readable medium as 
claimed in claim 69, further comprising: 

program code means for storing or 
obtaining issuer information; 

said data processing program code means 
including program code means for performing a 
process corresponding to said data or data 
corresponding to said second information when said 
authentication program code means determines that 
said originality information which is sent to said 
collector apparatus is valid and when said issuer 
apparatus corresponding to said first information is 
included in said issuer information. 



71. A computer readable medium storing 
program code for causing computers in an original 
data circulation system to store or circulate 
original data which is digital information, said 
computer readable medium comprising: 

issuer program code means which is loaded 
in an issuer apparatus, said issuer program code 



means including: 

first originality information generation 
program code means for generating originality- 
information which includes first information 
5 corresponding to said issuer apparatus and second 
information corresponding to data or information 
corresponding to the data; and 

first originality information sending 
program code means for sending said originality 
10 information; 

user program code means which is loaded in 
a user apparatus, said user program code means 
including : 

first originality information sending 
15 program code means for sending originality 

information which includes first information 
corresponding to an apparatus and second information 
corresponding to data or information corresponding 
to the data; 

20 first identifying program code means for 

identifying a source apparatus of said originality 
information which is sent from an apparatus; 

first authentication program code means 
for determining that said originality information is 

25 valid when said source apparatus is authenticated or 
when said apparatus corresponding to said first 
information and said source apparatus are the same; 
and 

storing program code means for storing 
30 said originality information when said first 

authentication program code means determines that 
said originality information is valid; and 

collector program code means which is 
loaded in a collector apparatus, said collector 
3 5 program code means including: 

second identifying program code means for 
identifying a source apparatus of originality 
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Inf ormation; 

second, authentication program code means 
for authenticating said source apparatus; and 

data processing program code means for 
5 performing a process corresponding to said data or 
data corresponding to said second Information when 
said second authentication program code means 
determines that said originality information which 
is sent to said collector apparatus is valid. 
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ABSTRACT OF THE DISCLOSURE 

An original data circulation system for 
storing or circulating original data which is 
digital information is provided. The original data 
circulation system includes an issuer apparatus, a 
user apparatus and a collector apparatus . The 
issuer apparatus generates originality information 
including first information corresponding to the 
issuer apparatus and second information 
corresponding to data and sends the originality 
information. The user apparatus verifies the 
validity of the source apparatus of the originality 
Information and stores the originality information 
when the validity is verified. The collector 
apparatus verifies the validity of the source 
apparatus of the originality information and 
processes data corresponding to the second 
information when the validity is verified. 
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